Triangular asynchronous replication

ABSTRACT

Storing recovery data includes providing chunks of data to a remote destination, where each chunk of data represents data written before a first time and after a second time and where the second time for one of the particular chunks corresponds to a first time for a subsequent one of the particular chunks, providing synchronous data to a local destination, and providing an indicator to the local destination in connection with creation of a new chunk of data for storage at the remote destination. The local destination may maintain a plurality of maps, where each of the maps associates synchronous data being provided thereto with a specific chunk of data. In response to receiving an indicator in connection with creation of a new chunk of data, the local destination may point to a new map. There may be two maps or more than two maps.

BACKGROUND OF THE INVENTION

1. Technical Field

This application relates to computer storage devices, and moreparticularly to the field of transferring data between storage devices.

2. Description of Related Art

Host processor systems may store and retrieve data using a storagedevice containing a plurality of host interface units (host adapters),disk drives, and disk interface units (disk adapters). Such storagedevices are provided, for example, by EMC Corporation of Hopkinton,Mass. and disclosed in U.S. Pat. No. 5,206,939 to Yanai et al., U.S.Pat. No. 5,778,394 to Galtzur et al., U.S. Pat. No. 5,845,147 toVishlitzky et al., and U.S. Pat. No. 5,857,208 to Ofek. The host systemsaccess the storage device through a plurality of channels providedtherewith. Host systems provide data and access control informationthrough the channels to the storage device and the storage deviceprovides data to the host systems also through the channels. The hostsystems do not address the disk drives of the storage device directly,but rather, access what appears to the host systems as a plurality oflogical disk units. The logical disk units may or may not correspond tothe actual disk drives. Allowing multiple host systems to access thesingle storage device unit allows the host systems to share data storedtherein.

In some instances, it may be desirable to copy data from one storagedevice to another. For example, if a host writes data to a first storagedevice, it may be desirable to copy that data to a second storage deviceprovided in a different location so that if a disaster occurs thatrenders the first storage device inoperable, the host (or another host)may resume operation using the data of the second storage device. Such acapability is provided, for example, by the Remote Data Facility (RDF)product provided by EMC Corporation of Hopkinton, Mass. With RDF, afirst storage device, denoted the “primary storage device” (or “R1”) iscoupled to the host. One or more other storage devices, called“secondary storage devices” (or “R2”) receive copies of the data that iswritten to the primary storage device by the host. The host interactsdirectly with the primary storage device, but any data changes made tothe primary storage device are automatically provided to the one or moresecondary storage devices using RDF. The primary and secondary storagedevices may be connected by a data link, such as an ESCON link, a FibreChannel link, and/or a Gigabit Ethernet link. The RDF functionality maybe facilitated with an RDF adapter (RA) provided at each of the storagedevices.

RDF allows synchronous data transfer where, after data written from ahost to a primary storage device is transferred from the primary storagedevice to a secondary storage device using RDF, receipt is acknowledgedby the secondary storage device to the primary storage device which thenprovides a write acknowledge back to the host. Thus, in synchronousmode, the host does not receive a write acknowledge from the primarystorage device until the RDF transfer to the secondary storage devicehas been completed and acknowledged by the secondary storage device.

A drawback to the synchronous RDF system is that the latency of each ofthe write operations is increased by waiting for the acknowledgement ofthe RDF transfer. This problem is worse when there is a long distancebetween the primary storage device and the secondary storage device;because of transmission delays, the time delay required for making theRDF transfer and then waiting for an acknowledgement back after thetransfer is complete may be unacceptable.

It is also possible to use RDF in an a semi-synchronous mode, in whichcase the data is written from the host to the primary storage devicewhich acknowledges the write immediately and then, at the same time,begins the process of transferring the data to the secondary storagedevice. Thus, for a single transfer of data, this scheme overcomes someof the disadvantages of using RDF in the synchronous mode. However, fordata integrity purposes, the semi-synchronous transfer mode does notallow the primary storage device to transfer data to the secondarystorage device until a previous transfer is acknowledged by thesecondary storage device. Thus, the bottlenecks associated with usingRDF in the synchronous mode are simply delayed by one iteration becausetransfer of a second amount of data cannot occur until transfer ofprevious data has been acknowledged by the secondary storage device.

Another possibility is to have the host write data to the primarystorage device in asynchronous mode and have the primary storage devicecopy data to the secondary storage device in the background. Thebackground copy involves cycling through each of the tracks of theprimary storage device sequentially and, when it is determined that aparticular block has been modified since the last time that block wascopied, the block is transferred from the primary storage device to thesecondary storage device. Although this mechanism may attenuate thelatency problem associated with synchronous and semi-synchronous datatransfer modes, a difficulty still exists because there can not be aguarantee of data consistency between the primary and secondary storagedevices. If there are problems, such as a failure of the primary system,the secondary system may end up with out-of-order changes that make thedata unusable.

A proposed solution to this problem is the Symmetrix AutomatedReplication (SAR) process, which is described in pending U.S. patentapplication Ser. Nos. 10/224,918 and 10/225,021, both of which werefiled on Aug. 21, 2002. The SAR uses devices (BCV's) that can mirrorstandard logical devices. A BCV device can also be split from itsstandard logical device after being mirrored and can be resynced (i.e.,reestablished as a mirror) to the standard logical devices after beingsplit. In addition, a BCV can be remotely mirrored using RDF, in whichcase the BCV may propagate data changes made thereto (while the BCV isacting as a mirror) to the BCV remote mirror when the BCV is split fromthe corresponding standard logical device.

However, using the SAR process requires the significant overhead ofcontinuously splitting and resyncing the BCV's. The SAR process alsouses host control and management, which relies on the controlling hostbeing operational. In addition, the cycle time for a practicalimplementation of a SAR process is on the order of twenty to thirtyminutes, and thus the amount of data that may be lost when an RDF linkand/or primary device fails could be twenty to thirty minutes worth ofdata.

Thus, it would be desirable to have an RDF system that exhibits some ofthe beneficial qualities of each of the different techniques discussedabove while reducing the drawbacks. Such a system would exhibit lowlatency for each host write regardless of the distance between theprimary device and the secondary device and would provide consistency(recoverability) of the secondary device in case of failure.

It would also be desirable to be able to combine the benefits obtainedfrom synchronous RDF transfers and asynchronous RDF transfers so thatup-to-date backup data may be provided on a JO remote device that isrelatively close (geographically) to a source device while, at the sametime, backup data may also be provided to a backup device that isrelatively far from the source device. It would also be desirable ifsuch a system provided for appropriate data recovery among the backupdevices.

SUMMARY OF THE INVENTION

According to the present invention, storing recovery data includesproviding chunks of data to a remote destination, where each chunk ofdata represents data written before a first time and after a second timeand where the second time for one of the particular chunks correspondsto a first time for a subsequent one of the particular chunks, providingsynchronous data to a local destination, and providing an indicator tothe local destination in connection with creation of a new chunk of datafor storage at the remote destination. The local destination maymaintain a plurality of maps, where each of the maps associatessynchronous data being provided thereto with a specific chunk of data.In response to receiving an indicator in connection with creation of anew chunk of data, the local destination may point to a new map. Theremay be two maps or more than two maps. In response to the localdestination failing to acknowledge synchronous data provided thereto,the remote destination may maintain a map of data written thereto.Storing recovery data may include, in response to the local destinationfailing to acknowledge synchronous data provided thereto, the remotedestination maintaining a count of a number of times a new chunk of datais created.

According further to the present invention, recovering data stored on alocal destination and a remote destination includes determining which ofthe local destination and the remote has the most up-to-date data,copying data from the remote destination to the local destination if theremote destination has the most up-to-date data, and copying data fromthe local destination to the remote destination if the local destinationhas the most up-to-date data. Determining which of the local destinationand the remote destination has the most up-to-date data may includeexamining a token provided by the remote destination that indicates anamount of new data that is stored on the remote destination that is notstored on the local destination. The token may indicate a number of newchunks of data provided to the remote storage device following failureof the local storage device to acknowledge data provided thereto, whereeach chunk of data represents data written before a first time and aftera second time and where the second time for one of the particular chunkscorresponds to a first time for a subsequent one of the particularchunks. Copying data from the remote destination to the localdestination may include copying data indicated by a map corresponding todata written to the remote destination that is not acknowledged as beingwritten to the local destination. Copying data from the localdestination to the remote destination may include copying data indicatedby a plurality of maps corresponding to data written to the localdestination that is not acknowledged as being written to the remotedestination. There may be two or more than two maps.

According further to the present invention, software that storesrecovery data includes executable code that provides chunks of data to aremote destination, where each chunk of data represents data writtenbefore a first time and after a second time and where the second timefor one of the particular chunks corresponds to a first time for asubsequent one of the particular chunks, executable code that providessynchronous data to a local destination, and executable code thatprovides an indicator to the local destination in connection withcreation of a new chunk of data for storage at the remote destination.The local destination may include executable code that maintains aplurality of maps, where each of the maps associates synchronous databeing provided thereto with a specific chunk of data. In response toreceiving an indicator in connection with creation of a new chunk ofdata, the local destination may point to a new map. There may be twomaps or more than two maps. The software may include executable code atthe remote destination that, in response to the local destinationfailing to acknowledge synchronous data provided thereto, maintains amap of data provided thereto. The software may include executable codeat the remote destination that, in response to the local destinationfailing to acknowledge synchronous data provided thereto, maintains acount of a number of times a new chunk of data is created.

According further to the present invention, software that recovers datastored on a local destination and a remote destination includesexecutable code that determines which of the local destination and theremote has the most up-to-date data, executable code that copies datafrom the remote destination to the local destination if the remotedestination has the most up-to-date data, and executable code thatcopies data from the local destination to the remote destination if thelocal destination has the most up-to-date data. Executable code thatdetermines which of the local destination and the remote destination hasthe most up-to-date data may include executable code that examines atoken provided by the remote destination that indicates an amount of newdata that is stored on the remote destination that is not stored on thelocal destination. The token may indicate a number of new chunks of dataprovided to the remote storage device following failure of the localstorage device to acknowledge data provided thereto, where each chunk ofdata represents data written before a first time and after a second timeand where the second time for one of the particular chunks correspondsto a first time for a subsequent one of the particular chunks.Executable code that copies data from the remote destination to thelocal destination may include executable code that copies data indicatedby a map corresponding to data written to the remote destination that isnot acknowledged as being written to the local destination. Executablecode that copies data from the local destination to the remotedestination may include executable code that copies data indicated by aplurality of maps corresponding to data written to the local destinationthat is not acknowledged as being written to the remote destination.There may be two maps or more than two maps.

According further to the present invention, a system for storingrecovery data includes a source group, a remote destination coupled tothe source group to receive therefrom chunks of data, where each chunkof data represents data written before a first time and after a secondtime and where the second time for one of the particular chunkscorresponds to a first time for a subsequent one of the particularchunks, and a local destination coupled to the source group to receivesynchronous data therefrom, where the source group provides an indicatorto the local destination in connection with creation of a new chunk ofdata for storage at the remote destination.

According further to the present invention, a system for recovering dataincludes a source group that generates data, a local destination,coupled to the source group to receive synchronous data therefrom, aremote destination, coupled to the source group to receive asynchronousdata therefrom, means for determining which of the local destination andthe remote has the most up-to-date data, means for copying data from theremote destination to the local destination if the remote destinationhas the most up-to-date data, and means for copying data from the localdestination to the remote destination if the local destination has themost up-to-date data.

According further to the present invention, storing recovery dataincludes a host processor writing data to a local storage device, thehost processor causing the local storage device to accumulate chunks ofdata corresponding to writes by the host processor, where each chunk ofdata represents data written before a first time and after a second timeand where the second time for one of the particular chunks of datacorresponds to a first time for a subsequent one of the particularchunks of data, transmitting the chunks of data from the local storagedevice to a remote destination, providing synchronous data from thelocal storage device to a local destination; and, the host processorcausing an indicator to be provided to the local destination inconnection with creation of a new chunk of data for storage at theremote destination. The local destination may maintain a plurality ofmaps, where each of the maps associates synchronous data being providedthereto with a specific chunk of data. In response to receiving anindicator in connection with creation of a new chunk of data, the localdestination may point to a new map. There may be two maps or more thantwo maps. In response to the local destination failing to acknowledgesynchronous data provided thereto, the remote destination may maintain amap of data written thereto. Storing recovery data may include, inresponse to the local destination failing to acknowledge synchronousdata provided thereto, the remote destination maintaining a count of anumber of times a new chunk of data is created. The host processor maywrite data to more than one local storage device that synchronouslytransfer data to more than one local destination.

According further to the present invention, recovering data stored on alocal destination and a remote destination includes causing a host tolocally access one of: the local destination and the remote destination,the host determining which of the local destination and the remotedestination has the most up-to-date data, the host causing data to becopied from the remote destination to the local destination if theremote destination has the most up-to-date data, and, the host causingdata to be copied from the local destination to the remote destinationif the local destination has the most up-to-date data. The hostdetermining which of the local destination and the remote destinationhas the most up-to-date data may include the host examining a tokenprovided by the remote destination that indicates an amount of new datathat is stored on the remote destination that is not stored on the localdestination. The token may indicate a number of new chunks of dataprovided to the remote storage device following failure of the localstorage device to acknowledge data provided thereto, where each chunk ofdata represents data written before a first time and after a second timeand where the second time for one of the particular chunks correspondsto a first time for a subsequent one of the particular chunks. The hostcopying data from the remote destination to the local destination mayinclude the host copying data indicated by a map corresponding to datawritten to the remote destination that is not acknowledged as beingwritten to the local destination. The host copying data from the localdestination to the remote destination may include the host copying dataindicated by a plurality of maps corresponding to data written to thelocal destination that is not acknowledged as being written to theremote destination. The number of maps may be two or may be more thantwo.

BRIEF DESCRIPTION OF DRAWINGS

FIG. 1 is a schematic diagram showing a host, a local storage device,and a remote data storage device used in connection with the systemdescribed herein.

FIG. 2 is a schematic diagram showing a flow of data between a host, alocal storage device, and a remote data storage device used inconnection with the system described herein.

FIG. 3 is a schematic diagram illustrating items for constructing andmanipulating chunks of data on a local storage device according to thesystem described herein.

FIG. 4 is a diagram illustrating a data structure for a slot used inconnection with the system described herein.

FIG. 5 is a flow chart illustrating operation of a host adaptor (HA) inresponse to a write by a host according to the system described herein.

FIG. 6 is a flow chart illustrating transferring data from a localstorage device to a remote storage device according to the systemdescribed herein.

FIG. 7 is a schematic diagram illustrating items for constructing andmanipulating chunks of data on a remote storage device according to thesystem described herein.

FIG. 8 is a flow chart illustrating steps performed by a remote storagedevice in connection with receiving 1 a commit indicator from a localstorage device according to the system described herein.

FIG. 9 is a flow chart illustrating storing transmitted data at a remotestorage device according to the system described herein.

FIG. 10 is a flow chart illustrating steps performed in connection witha local storage device incrementing a sequence number according to asystem described herein.

FIG. 11 is a schematic diagram illustrating items for constructing andmanipulating chunks of data on a local storage device according to analternative embodiment of the system described herein.

FIG. 12 is a flow chart illustrating operation of a host adaptor (HA) inresponse to a write by a host according to an alternative embodiment ofthe system described herein.

FIG. 13 is a flow chart illustrating transferring data from a localstorage device to a remote storage device according to an alternativeembodiment of the system described herein.

FIG. 14 is a schematic diagram illustrating a plurality of local andremote storage devices with a host according to the system describedherein.

FIG. 15 is a diagram showing a multi-box mode table used in connectionwith the system described herein.

FIG. 16 is a flow chart illustrating modifying a multi-box mode tableaccording to the system described herein.

FIG. 17 is a flow chart illustrating cycle switching by the hostaccording to the system described herein.

FIG. 18 is a flow chart illustrating steps performed in connection witha local storage device incrementing a sequence number according to asystem described herein.

FIG. 19 is a flow chart illustrating transferring data from a localstorage device to a remote storage device according to the systemdescribed herein.

FIG. 20 is a flow chart illustrating transferring data from a localstorage device to a remote storage device according to an alternativeembodiment of the system described herein.

FIG. 21 is a flow chart illustrating providing an active empty indicatormessage from a remote storage device to a corresponding local storagedevice according to the system described herein.

FIG. 22 is a schematic diagram illustrating a plurality of local andremote storage devices with a plurality of hosts according to the systemdescribed herein.

FIG. 23 is a flow chart illustrating a processing performed by a remotestorage device in connection with data recovery according to the systemdescribed herein.

FIG. 24 is a flow chart illustrating a processing performed by a host inconnection with data recovery according to the system described herein.

FIG. 25 is a schematic diagram showing a storage device, memory, aplurality of directors, and a communication module according to thesystem described herein.

FIG. 26 is a schematic diagram showing a source group, a localdestination, and a remote destination according to the system describedherein.

FIG. 27 is a flow chart illustrating a process performed by a localdestination to initialize data recovery parameters according to thesystem described herein.

FIG. 28A is a flow chart illustrating a process performed by a localdestination in connection with receiving data during non-failure modeaccording to the system described herein.

FIG. 28B is a flow chart illustrating an alternative process that may beperformed by a local destination in connection with receiving dataduring non-failure mode according to the system described herein.

FIG. 28C is a flow chart illustrating an alternative process that may beperformed by a local destination in connection with receiving dataduring non-failure mode according to the system described herein.

FIG. 29 is a flow chart illustrating a process performed by a localdestination to initialize data recovery parameters according to thesystem described herein.

FIG. 30 is a flow chart illustrating a process performed by a remotedestination in connection with collecting failure recovery dataaccording to the system described herein.

FIG. 31 is a flow chart illustrating a process performed in connectionwith failure recovery according to the system described herein.

FIG. 32 is a flow chart illustrating processing performed in connectionwith terminating ordered writes according to the system describedherein.

FIG. 33 is a flow chart illustrating processing performed in connectionwith sending data from a local destination to a remote destinationaccording to the system described herein.

FIG. 34 is a flow chart illustrating a process performed by a localdestination in connection with resetting error recovery parametersaccording to the system described herein.

FIG. 35 is a flow chart illustrating a process performed by a remotedestination in connection with resetting error recovery parametersaccording to the system described herein.

FIG. 36 is a diagram illustrating a configuration of a source groupaccording to the system described herein.

FIG. 37 is a diagram illustrating another configuration of a sourcegroup according to the system described herein.

FIG. 38 is a flow chart illustrating an alternative embodiment fortransferring data from a local storage device to a remote storage deviceaccording to the system described herein.

FIG. 39 is a schematic diagram illustrating items for constructing andmanipulating chunks of data on a remote storage device according to thesystem described herein.

FIG. 40 is a diagram showing a table used to map logical devicelocations to slots containing data received by a remote storage deviceaccording to the system described herein.

FIG. 41 is a diagram showing another embodiment of a table used to maplogical device locations to slots containing data received by a remotestorage device according to the system described herein.

DETAILED DESCRIPTION OF VARIOUS EMBODIMENTS

Referring to FIG. 1, a diagram 20 shows a relationship between a host22, a local storage device 24 and a remote storage device 26. The host22 reads and writes data from and to the local storage device 24 via ahost adapter (HA) 28, which facilitates the interface between the host22 and the local storage device 24. Although the diagram 20 only showsone host 22 and one HA 28, it will be appreciated by one of ordinaryskill in the art that multiple HA's may be used and that one or moreHA's may have one or more hosts coupled thereto.

Data from the local storage device 24 is copied to the remote storagedevice 26 via an RDF link 29 to cause the data on the remote storagedevice 26 to be identical to the data on the local storage device 24.Although only the one link 29 is shown, it is possible to haveadditional links between the storage devices 24, 26 and to have linksbetween one or both of the storage devices 24, 26 and other storagedevices (not shown). In addition, the link 29 may be provided using adirect connection (wired, over-the-air, or some combination thereof), anetwork (such as the Internet), or any other appropriate means forconveying data. Note that there may be a time delay between the transferof data from the local storage device 24 to the remote storage device26, so that the remote storage device 26 may, at certain points in time,contain data that is not identical to the data on the local storagedevice 24. Communication using RDF is described, for example, in U.S.Pat. No. 5,742,792, which is incorporated by reference herein.

The local storage device 24 includes a first plurality of RDF adapterunits (RA's) 30 a, 30 b, 30 c and the remote storage device 26 includesa second plurality of RA's 32 a-32 c. The RA's 30 a-30 c, 32 a-32 c arecoupled to the RDF link 29 and are similar to the host adapter 28, butare used to transfer data between the storage devices 24, 26. Thesoftware used in connection with the RA's 30 a-30 c, 32 a-32 c isdiscussed in more detail hereinafter.

The storage devices 24, 26 may include one or more disks, eachcontaining a different portion of data stored on each of the storagedevices 24, 26. FIG. 1 shows the storage device 24 including a pluralityof disks 33 a, 33 b, 33 c and the storage device 26 including aplurality of disks 34 a, 34 b, 34 c. The RDF functionality describedherein may be applied so that the data for at least a portion of thedisks 33 a-33 c of the local storage device 24 is copied, using RDF, toat least a portion of the disks 34 a-34 c of the remote storage device26. It is possible that other data of the storage devices 24, 26 is notcopied between the storage devices 24, 26, and thus is not identical.

Each of the disks 33 a-33 c is coupled to a corresponding disk adapterunit (DA) 35 a, 35 b, 35 c that provides data to a corresponding one ofthe disks 33 a-33 c and receives data from a corresponding one of thedisks 33 a-33 c. Similarly, a plurality of DA's 36 a, 36 b, 36 c of theremote storage device 26 are used to provide data to corresponding onesof the disks 34 a-34 c and receive data from corresponding ones of thedisks 34 a-34 c. An internal data path exists between the DA's 35 a-35c, the HA 28 and the RA's 30 a-30 c of the local storage device 24.Similarly, an internal data path exists between the DA's 36 a-36 c andthe RA's 32 a-32 c of the remote storage device 26. Note that, in otherembodiments, it is possible for more than one disk to be serviced by aDA and that it is possible for more than one DA to service a disk.

The local storage device 24 also includes a global memory 37 that may beused to facilitate data transferred between the DA's 35 a-35 c, the HA28 and the RA's 30 a-30 c. The memory 37 may contain tasks that are tobe performed by one or more of the DA's 35 a-35 c, the HA 28 and theRA's 30 a-30 c, and a cache for data fetched from one or more of thedisks 33 a-33 c. Similarly, the remote storage device 26 includes aglobal memory 38 that may contain tasks that are to be performed by oneor more of the DA's 36 a-36 c and the RA's 32 a-32 c, and a cache fordata fetched from one or more of the disks 34 a-34 c. Use of thememories 37, 38 is described in more detail hereinafter.

The storage space in the local storage device 24 that corresponds to thedisks 33 a-33 c may be subdivided into a plurality of volumes or logicaldevices. The logical devices may or may not correspond to the physicalstorage space of the disks 33 a-33 c. Thus, for example, the disk 33 amay contain a plurality of logical devices or, alternatively, a singlelogical device could span both of the disks 33 a, 33 b. Similarly, thestorage space for the remote storage device 26 that comprises the disks34 a-34 c may be subdivided into a plurality of volumes or logicaldevices, where each of the logical devices may or may not correspond toone or more of the disks 34 a-34 c.

Providing an RDF mapping between portions of the local storage device 24and the remote storage device 26 involves setting up a logical device onthe remote storage device 26 that is a remote mirror for a logicaldevice on the local storage device 24. The host 22 reads and writes datafrom and to the logical device on the local storage device 24 and theRDF mapping causes modified data to be transferred from the localstorage device 24 to the remote storage device 26 using the RA's, 30a-30 c, 32 a-32 c and the RDF link 29. In steady state operation, thelogical device on the remote storage device 26 contains data that isidentical to the data of the logical device on the local storage device24. The logical device on the local storage device 24 that is accessedby the host 22 is referred to as the “R1 volume” (or just “R1”) whilethe logical device on the remote storage device 26 that contains a copyof the data on the R1 volume is called the “R2 volume” (or just “R2”).Thus, the host reads and writes data from and to the R1 volume and RDFhandles automatic copying and updating of the data from the R1 volume tothe R2 volume. The system described herein may be implemented usingsoftware, hardware, and/or a combination of software and hardware wheresoftware may be stored in an appropriate storage medium and executed byone or more processors.

Referring to FIG. 2, a path of data is illustrated from the host 22 tothe local storage device 24 and the remote storage device 26. Datawritten from the host 22 to the local storage device 24 is storedlocally, as illustrated by the data element 51 of the local storagedevice 24. The data that is written by the host 22 to the local storagedevice 24 is also maintained by the local storage device 24 inconnection with being sent by the local storage device 24 to the remotestorage device 26 via the link 29.

In the system described herein, each data write by the host 22 (of, forexample a record, a plurality of records, a track, etc.) is assigned asequence number. The sequence number may be provided in an appropriatedata field associated with the write. In FIG. 2, the writes by the host22 are shown as being assigned sequence number N. All of the writesperformed by the host 22 that are assigned sequence number N arecollected in a single chunk of data 52. The chunk 52 represents aplurality of separate writes by the host 22 that occur at approximatelythe same time.

Generally, the local storage device 24 accumulates chunks of onesequence number while transmitting a previously accumulated chunk(having the previous sequence number) to the remote storage device 26.Thus, while the local storage device 24 is accumulating writes from thehost 22 that are assigned sequence number N, the writes that occurredfor the previous sequence number (N−1) are transmitted by the localstorage device 24 to the remote storage device 26 via the link 29. Achunk 54 represents writes from the host 22 that were assigned thesequence number N−1 that have not been transmitted yet to the remotestorage device 26.

The remote storage device 26 receives the data from the chunk 54corresponding to writes assigned a sequence number N−1 and constructs anew chunk 56 of host writes having sequence number N−1. The data may betransmitted using appropriate RDF protocol that acknowledges data sentacross the link 29. When the remote storage device 26 has received allof the data from the chunk 54, the local storage device 24 sends acommit message to the remote storage device 26 to commit all the dataassigned the N−1 sequence number corresponding to the chunk 56.Generally, once a chunk corresponding to a particular sequence number iscommitted, that chunk may be written to the logical storage device. Thisis illustrated in FIG. 2 with a chunk 58 corresponding to writesassigned sequence number N−2 (i.e., two before the current sequencenumber being used in connection with writes by the host 22 to the localstorage device 26). In FIG. 2, the chunk 58 is shown as being written toa data element 62 representing disk storage for the remote storagedevice 26. Thus, the remote storage device 26 is receiving andaccumulating the chunk 56 corresponding to sequence number N−1 while thechunk 58 corresponding to the previous sequence number (N−2) is beingwritten to disk storage of the remote storage device 26 illustrated bythe data element 62. In some embodiments, the data for the chunk 58 ismarked for write (but not necessarily written immediately), while thedata for the chunk 56 is not.

Thus, in operation, the host 22 writes data to the local storage device24 that is stored locally in the data element 51 and is accumulated inthe chunk 52. Once all of the data for a particular sequence number hasbeen accumulated (described elsewhere herein), the local storage device24 increments the sequence number. Data from the chunk 54 correspondingto one less than the current sequence number is transferred from thelocal storage device 24 to the remote storage device 26 via the link 29.The chunk 58 corresponds to data for a sequence number that wascommitted by the local storage device 24 sending a message to the remotestorage device 26. Data from the chunk 58 is written to disk storage ofthe remote storage device 26.

Note that the writes within a particular one of the chunks 52, 54, 56,58 are not necessarily ordered. However, as described in more detailelsewhere herein, every write for the chunk 58 corresponding to sequencenumber N−2 was begun prior to beginning any of the writes for the chunks54, 56 corresponding to sequence number N−1. In addition, every writefor the chunks 54, 56 corresponding to sequence number N−1 was begunprior to beginning any of the writes for the chunk 52 corresponding tosequence number N. Thus, in the event of a communication failure betweenthe local storage device 24 and the remote storage device 26, the remotestorage device 26 may simply finish writing the last committed chunk ofdata (the chunk 58 in the example of FIG. 2) and can be assured that thestate of the data at the remote storage device 26 is ordered in thesense that the data element 62 contains all of the writes that werebegun prior to a certain point in time and contains no writes that werebegun after that point in time. Thus, R2 always contains a point in timecopy of R1 and it is possible to reestablish a consistent image from theR2 device.

Referring to FIG. 3, a diagram 70 illustrates items used to constructand maintain the chunks 52, 54. A standard logical device 72 containsdata written by the host 22 and corresponds to the data element 51 ofFIG. 2 and the disks 33 a-33 c of FIG. 1. The standard logical device 72contains data written by the host 22 to the local storage device 24.

Two linked lists of pointers 74, 76 are used in connection with thestandard logical device 72. The linked lists 74, 76 correspond to datathat may be stored, for example, in the memory 37 of the local storagedevice 24. The linked list 74 contains a plurality of pointers 81-85,each of which points to a slot of a cache 88 used in connection with thelocal storage device 24. Similarly, the linked list 76 contains aplurality of pointers 91-95, each of which points to a slot of the cache88. In some embodiments, the cache 88 may be provided in the memory 37of the local storage device 24. The cache 88 contains a plurality ofcache slots 102-104 that may be used in connection to writes to thestandard logical device 72 and, at the same time, used in connectionwith the linked lists 74, 76.

Each of the linked lists 74, 76 may be used for one of the chunks ofdata 52, 54 so that, for example, the linked list 74 may correspond tothe chunk of data 52 for sequence number N while the linked list 76 maycorrespond to the chunk of data 54 for sequence number N−1. Thus, whendata is written by the host 22 to the local storage device 24, the datais provided to the cache 88 and, in some cases (described elsewhereherein), an appropriate pointer of the linked list 74 is created. Notethat the data will not be removed from the cache 88 until the data isdestaged to the standard logical device 72 and the data is also nolonger pointed to by one of the pointers 81-85 of the linked list 74, asdescribed elsewhere herein.

In an embodiment herein, one of the linked lists 74, 76 is deemed“active” while the other is deemed “inactive”. Thus, for example, whenthe sequence number N is even, the linked list 74 may be active whilethe linked list 76 is inactive. The active one of the linked lists 74,76 handles writes from the host 22 while the inactive one of the linkedlists 74, 76 corresponds to the data that is being transmitted from thelocal storage device 24 to the remote storage device 26.

While the data that is written by the host 22 is accumulated using theactive one of the linked lists 74, 76 (for the sequence number N), thedata corresponding to the inactive one of the linked lists 74, 76 (forprevious sequence number N−1) is transmitted from the local storagedevice 24 to the remote storage device 26. The RA's 30 a-30 c use thelinked lists 74, 76 to determine the data to transmit from the localstorage device 24 to the remote storage device 26.

Once data corresponding to a particular one of the pointers in one ofthe linked lists 74, 76 has been transmitted to the remote storagedevice 26, the particular one of the pointers may be removed from theappropriate one of the linked lists 74, 76. In addition, the data mayalso be marked for removal from the cache 88 (i.e., the slot may bereturned to a pool of slots for later, unrelated, use) provided that thedata in the slot is not otherwise needed for another purpose (e.g., tobe destaged to the standard logical device 72). A mechanism may be usedto ensure that data is not removed from the cache 88 until all devicesare no longer using the data. Such a mechanism is described, forexample, in U.S. Pat. No. 5,537,568 issued on Jul. 16, 1996 and in U.S.Pat. No. 6,594,742 issued on Jul. 15, 2003, both of which areincorporated by reference herein.

Referring to FIG. 4, a slot 120, like one of the slots 102-104 of thecache 88, includes a header 122 and data 124. The header 122 correspondsto overhead information used by the system to manage the slot 120. Thedata 124 is the corresponding data from the disk that is being(temporarily) stored in the slot 120. Information in the header 122includes pointers back to the disk, time stamp(s), etc.

The header 122 also includes a cache stamp 126 used in connection withthe system described herein. In an embodiment herein, the cache stamp126 is eight bytes. Two of the bytes are a “password” that indicateswhether the slot 120 is being used by the system described herein. Inother embodiments, the password may be one byte while the following byteis used for a pad. As described elsewhere herein, the two bytes of thepassword (or one byte, as the case may be) being equal to a particularvalue indicates that the slot 120 is pointed to by at least one entry ofthe linked lists 74, 76. The password not being equal to the particularvalue indicates that the slot 120 is not pointed to by an entry of thelinked lists 74, 76. Use of the password is described elsewhere herein.

The cache stamp 126 also includes a two byte field indicating thesequence number (e.g., N, N−1, N−2, etc.) of the data 124 of the slot120. As described elsewhere herein, the sequence number field of thecache stamp 126 may be used to facilitate the processing describedherein. The remaining four bytes of the cache stamp 126 may be used fora pointer, as described elsewhere herein. Of course, the two bytes ofthe sequence number and the four bytes of the pointer are only validwhen the password equals the particular value that indicates that theslot 120 is pointed to by at least one entry in one of the lists 74, 76.

Referring to FIG. 5, a flow chart 140 illustrates steps performed by theHA 28 in connection with a host 22 performing a write operation. Ofcourse, when the host 22 performs a write, processing occurs forhandling the write in a normal fashion irrespective of whether the datais part of an R1/R2 RDF group. For example, when the host 22 writes datafor a portion of the disk, the write occurs to a cache slot which iseventually destaged to the disk. The cache slot may either be a newcache slot or may be an already existing cache slot created inconnection with a previous read and/or write operation to the sametrack.

Processing begins at a first step 142 where a slot corresponding to thewrite is locked. In an embodiment herein, each of the slots 102-104 ofthe cache 88 corresponds to a track of data on the standard logicaldevice 72. Locking the slot at the step 142 prevents additionalprocesses from operating on the relevant slot during the processingperformed by the HA 28 corresponding to the steps of the flow chart 140.

Following step 142 is a step 144 where a value for N, the sequencenumber, is set. As discussed elsewhere herein, the value for thesequence number obtained at the step 144 is maintained during the entirewrite operation performed by the HA 28 while the slot is locked. Asdiscussed elsewhere herein, the sequence number is assigned to eachwrite to set the one of the chunks of data 52, 54 to which the writebelongs. Writes performed by the host 22 are assigned the currentsequence number. It is useful that a single write operation maintain thesame sequence number throughout.

Following the step 144 is a test step 146 which determines if thepassword field of the cache slot is valid. As discussed above, thesystem described herein sets the password field to a predetermined valueto indicate that the cache slot is already in one of the linked lists ofpointers 74, 76. If it is determined at the test step 146 that thepassword field is not valid (indicating that the slot is new and that nopointers from the lists 74, 76 point to the slot), then control passesfrom the step 146 to a step 148, where the cache stamp of the new slotis set by setting the password to the predetermined value, setting thesequence number field to N, and setting the pointer field to Null. Inother embodiments, the pointer field may be set to point to the slotitself.

Following the step 148 is a step 152 where a pointer to the new slot isadded to the active one of the pointer lists 74, 76. In an embodimentherein, the lists 74, 76 are circular doubly linked lists, and the newpointer is added to the circular doubly linked list in a conventionalfashion. Of course, other appropriate data structures could be used tomanage the lists 74, 76. Following the step 152 is a step 154 whereflags are set. At the step 154, the RDF_WP flag (RDF write pending flag)is set to indicate that the slot needs to be transmitted to the remotestorage device 26 using RDF. In addition, at the step 154, the IN_CACHEflag is set to indicate that the slot needs to be destaged to thestandard logical device 72. Following the step 154 is a step 156 wherethe data being written by the host 22 and the HA 28 is written to theslot. Following the step 156 is a step 158 where the slot is unlocked.Following step 158, processing is complete.

If it is determined at the test step 146 that the password field of theslot is valid (indicating that the slot is already pointed to by atleast one pointer of the lists 74, 76), then control transfers from thestep 146 to a test step 162, where it is determined whether the sequencenumber field of the slot is equal to the current sequence number, N.Note that there are two valid possibilities for the sequence numberfield of a slot with a valid password. It is possible for the sequencenumber field to be equal to N, the current sequence number. This occurswhen the slot corresponds to a previous write with sequence number N.The other possibility is for the sequence number field to equal N−1.This occurs when the slot corresponds to a previous write with sequencenumber N−1. Any other value for the sequence number field is invalid.Thus, for some embodiments, it may be possible to include error/validitychecking in the step 162 or possibly make error/validity checking aseparate step. Such an error may be handled in any appropriate fashion,which may include providing a message to a user.

If it is determined at the step 162 that the value in the sequencenumber field of the slot equals the current sequence number N, then nospecial processing is required and control transfers from the step 162to the step 156, discussed above, where the data is written to the slot.Otherwise, if the value of the sequence number field is N−1 (the onlyother valid value), then control transfers from the step 162 to a step164 where a new slot is obtained. The new slot obtained at the step 164may be used to store the data being written.

Following the step 164 is a step 166 where the data from the old slot iscopied to the new slot that was obtained at the step 164. Note that thatthe copied data includes the RDF_WP flag, which should have been set atthe step 154 on a previous write when the slot was first created.Following the step 166 is a step 168 where the cache stamp for the newslot is set by setting the password field to the appropriate value,setting the sequence number field to the current sequence number, N, andsetting the pointer field to point to the old slot. Following the step168 is a step 172 where a pointer to the new slot is added to the activeone of the linked lists 74, 76. Following the step 172 is the step 156,discussed above, where the data is written to the slot which, in thiscase, is the new slot.

Referring to FIG. 6, a flow chart 200 illustrates steps performed inconnection with the RA's 30 a-30 c scanning the inactive one of thelists 72, 74 to transmit RDF data from the local storage device 24 tothe remote storage device 26. As discussed above, the inactive one ofthe lists 72, 74 points to slots corresponding to the N−1 cycle for theR1 device when the N cycle is being written to the R1 device by the hostusing the active one of the lists 72, 74.

Processing begins at a first step 202 where it is determined if thereare any entries in the inactive one of the lists 72, 74. As data istransmitted, the corresponding entries are removed from the inactive oneof the lists 72, 74. In addition, new writes are provided to the activeone of the lists 72, 74 and not generally to the inactive one of thelists 72, 74. Thus, it is possible (and desirable, as describedelsewhere herein) for the inactive one of the lists 72, 74 to contain nodata at certain times. If it is determined at the step 202 that there isno data to be transmitted, then the inactive one of the lists 72, 74 iscontinuously polled until data becomes available. Data for sendingbecomes available in connection with a cycle switch (discussed elsewhereherein) where the inactive one of the lists 72, 74 becomes the activeone of the lists 72, 74, and vice versa.

If it is determined at the step 202 that there is data available forsending, control transfers from the step 202 to a step 204, where theslot is verified as being correct. The processing performed at the step204 is an optional “sanity check” that may include verifying that thepassword field is correct and verifying that the sequence number fieldis correct. If there is incorrect (unexpected) data in the slot, errorprocessing may be performed, which may include notifying a user of theerror and possibly error recovery processing.

Following the step 204 is a step 212, where the data is sent via RDF ina conventional fashion. In an embodiment herein, the entire slot is nottransmitted. Rather, only records within the slot that have theappropriate mirror bits set (indicating the records have changed) aretransmitted to the remote storage device 26. However, in otherembodiments, it may be possible to transmit the entire slot, providedthat the remote storage device 26 only writes data corresponding torecords having appropriate mirror bits set and ignores other data forthe track, which may or may not be valid. Following the step 212 is atest step 214 where it is determined if the data that was transmittedhas been acknowledged by the R2 device. If not, the data is resent, asindicated by the flow from the step 214 back to the step 212. In otherembodiments, different and more involved processing may used to senddata and acknowledge receipt thereof. Such processing may include errorreporting and alternative processing that is performed after a certainnumber of attempts to send the data have failed.

Once it is determined at the test step 214 that the data has beensuccessfully sent, control passes from the step 214 to a step 216 toclear the RDF_WP flag (since the data has been successfully sent viaRDF). Following the step 216 is a test step 218 where it is determinedif the slot is a duplicate slot created in connection with a write to aslot already having an existing entry in the inactive one of the lists72, 74. This possibility is discussed above in connection with the steps162, 164, 166, 168, 172. If it is determined at the step 218 that theslot is a duplicate slot, then control passes from the step 218 to astep 222 where the slot is returned to the pool of available slots (tobe reused). In addition, the slot may also be aged (or have some otherappropriate mechanism applied thereto) to provide for immediate reuseahead of other slots since the data provided in the slot is not validfor any other purpose. Following the step 222 or the step 218 if theslot is not a duplicate slot is a step 224 where the password field ofthe slot header is cleared so that when the slot is reused, the test atthe step 146 of FIG. 5 properly classifies the slot as a new slot.

Following the step 224 is a step 226 where the entry in the inactive oneof the lists 72, 74 is removed. Following the step 226, controltransfers back to the step 202, discussed above, where it is determinedif there are additional entries on the inactive one of the lists 72, 74corresponding to data needing to be transferred.

Referring to FIG. 7, a diagram 240 illustrates creation and manipulationof the chunks 56, 58 used by the remote storage device 26. Data that isreceived by the remote storage device 26, via the link 29, is providedto a cache 242 of the remote storage device 26. The cache 242 may beprovided, for example, in the memory 38 of the remote storage device 26.The cache 242 includes a plurality of cache slots 244-246, each of whichmay be mapped to a track of a standard logical storage device 252. Thecache 242 is similar to the cache 88 of FIG. 3 and may contain data thatcan be destaged to the standard logical storage device 252 of the remotestorage device 26. The standard logical storage device 252 correspondsto the data element 62 shown in FIG. 2 and the disks 34 a-34 c shown inFIG. 1.

The remote storage device 26 also contains a pair of cache only virtualdevices 254, 256. The cache only virtual devices 254, 256 correspondeddevice tables that may be stored, for example, in the memory 38 of theremote storage device 26. Each track entry of the tables of each of thecache only virtual devices 254, 256 point to either a track of thestandard logical device 252 or point to a slot of the cache 242. Cacheonly virtual devices are described in a copending U.S. patentapplication titled CACHE-ONLY VIRTUAL DEVICES, filed on Mar. 25, 2003and having Ser. No. 10/396,800, which is incorporated by referenceherein.

The plurality of cache slots 244-246 may be used in connection to writesto the standard logical device 252 and, at the same time, used inconnection with the cache only virtual devices 254, 256. In anembodiment herein, each of track table entries of the cache only virtualdevices 254, 256 contain a null to indicate that the data for that trackis stored on a corresponding track of the standard logical device 252.Otherwise, an entry in the track table for each of the cache onlyvirtual devices 254, 256 contains a pointer to one of the slots 244-246in the cache 242.

Each of the cache only virtual devices 254, 256 corresponds to one ofthe data chunks 56, 58. Thus, for example, the cache only virtual device254 may correspond to the data chunk 56 while the cache only virtualdevice 256 may correspond to the data chunk 58. In an embodiment herein,one of the cache only virtual devices 254, 256 may be deemed “active”while the other one of the cache only virtual devices 254, 256 may bedeemed “inactive”. The inactive one of the cache only virtual devices254, 256 may correspond to data being received from the local storagedevice 24 (i.e., the chunk 56) while the active one of the cache onlyvirtual device 254, 256 corresponds to data being restored (written) tothe standard logical device 252.

Data from the local storage device 24 that is received via the link 29may be placed in one of the slots 244-246 of the cache 242. Acorresponding pointer of the inactive one of the cache only virtualdevices 254, 256 may be set to point to the received data. Subsequentdata having the same sequence number may be processed in a similarmanner. At some point, the local storage device 24 provides a messagecommitting all of the data sent using the same sequence number. Once thedata for a particular sequence number has been committed, the inactiveone of the cache only virtual devices 254, 256 becomes active and viceversa. At that point, data from the now active one of the cache onlyvirtual devices 254, 256 is copied to the standard logical device 252while the inactive one of the cache only virtual devices 254, 256 isused to receive new data (having a new sequence number) transmitted fromthe local storage device 24 to the remote storage device 26.

As data is removed from the active one of the cache only virtual devices254, 256 (discussed elsewhere herein), the corresponding entry in theactive one of the cache only virtual devices 254, 256 may be set tonull. In addition, the data may also be removed from the cache 244(i.e., the slot returned to the pool of free slots for later use)provided that the data in the slot is not otherwise needed for anotherpurpose (e.g., to be destaged to the standard logical device 252). Amechanism may be used to ensure that data is not removed from the cache242 until all mirrors (including the cache only virtual devices 254,256) are no longer using the data. Such a mechanism is described, forexample, in U.S. Pat. No. 5,537,568 issued on Jul. 16, 1996 and in U.S.Pat. No. 6,594,742 issued on Jul. 15, 2003, both of which areincorporated by reference herein.

In some embodiments discussed elsewhere herein, the remote storagedevice 26 may maintain linked lists 258, 262 like the lists 74, 76 usedby the local storage device 24. The lists 258, 262 may containinformation that identifies the slots of the corresponding cache onlyvirtual devices 254, 256 that have been modified, where one of the lists258, 262 corresponds to one of the cache only virtual devices 254, 256and the other one of the lists 258, 262 corresponds to the other one ofthe cache only virtual devices 254, 256. As discussed elsewhere herein,the lists 258, 262 may be used to facilitate restoring data from thecache only virtual devices 254, 256 to the standard logical device 252.

Referring to FIG. 8, a flow chart 270 illustrates steps performed by theremote storage device 26 in connection with processing data for asequence number commit transmitted by the local storage device 24 to theremote storage device 26. As discussed elsewhere herein, the localstorage device 24 periodically increments sequence numbers. When thisoccurs, the local storage device 24 finishes transmitting all of thedata for the previous sequence number and then sends a commit messagefor the previous sequence number.

Processing begins at a first step 272 where the commit is received.Following the step 272 is a test step 274 which determines if the activeone of the cache only virtual devices 254, 256 of the remote storagedevice 26 is empty. As discussed elsewhere herein, the inactive one ofthe cache only virtual devices 254, 256 of the remote storage device 26is used to accumulate data from the local storage device 24 sent usingRDF while the active one of the cache only virtual devices 254, 256 isrestored to the standard logical device 252.

If it is determined at the test step 274 that the active one of thecache only virtual devices 254, 256 is not empty, then control transfersfrom the test step 274 to a step 276 where the restore for the activeone of the cache only virtual devices 254, 256 is completed prior tofurther processing being performed. Restoring data from the active oneof the cache only virtual devices 254, 256 is described in more detailelsewhere herein. It is useful that the active one of the cache onlyvirtual devices 254, 256 is empty prior to handling the commit andbeginning to restore data for the next sequence number.

Following the step 276 or following the step 274 if the active one ofthe cache only virtual devices 254, 256 is determined to be empty, is astep 278 where the active one of the cache only virtual devices 254, 256is made inactive. Following the step 278 is a step 282 where thepreviously inactive one of the cache only virtual devices 254, 256(i.e., the one that was inactive prior to execution of the step 278) ismade active. Swapping the active and inactive cache only virtual devices254, 256 at the steps 278, 282 prepares the now inactive (and empty) oneof the cache only virtual devices 254, 256 to begin to receive data fromthe local storage device 24 for the next sequence number.

Following the step 282 is a step 284 where the active one of the cacheonly virtual devices 254, 256 is restored to the standard logical device252 of the remote storage device 26. Restoring the active one of thecache only virtual devices 254, 256 to the standard logical device 252is described in more detail hereinafter. However, note that, in someembodiments, the restore process is begun, but not necessarilycompleted, at the step 284. Following the step 284 is a step 286 wherethe commit that was sent from the local storage device 24 to the remotestorage device 26 is acknowledged back to the local storage device 24 sothat the local storage device 24 is informed that the commit wassuccessful. Following the step 286, processing is complete.

Referring to FIG. 9, a flow chart 300 illustrates in more detail thesteps 276, 284 of FIG. 8 where the remote storage device 26 restores theactive one of the cache only virtual devices 254, 256. Processing beginsat a first step 302 where a pointer is set to point to the first slot ofthe active one of the cache only virtual devices 254, 256. The pointeris used to iterate through each track table entry of the active one ofthe cache only virtual devices 254, 256, each of which is processedindividually. Following the step 302 is a test step 304 where it isdetermined if the track of the active one of the cache only virtualdevices 254, 256 that is being processed points to the standard logicaldevice 252. If so, then there is nothing to restore. Otherwise, controltransfers from the step 304 to a step a 306 where the corresponding slotof the active one of the cache only virtual devices 254, 256 is locked.

Following the step 306 is a test step 308 which determines if thecorresponding slot of the standard logical device 252 is already in thecache of the remote storage device 26. If so, then control transfersfrom the test step 308 to a step 312 where the slot of the standardlogical device is locked. Following step 312 is a step 314 where thedata from the active one of the cache only virtual devices 254, 256 ismerged with the data in the cache for the standard logical device 252.Merging the data at the step 314 involves overwriting the data for thestandard logical device with the new data of the active one of the cacheonly virtual devices 254, 256. Note that, in embodiments that providefor record level flags, it may be possible to simply OR the new recordsfrom the active one of the cache only virtual devices 254, 256 to therecords of the standard logical device 252 in the cache. That is, if therecords are interleaved, then it is only necessary to use the recordsfrom the active one of the cache only virtual devices 254, 256 that havechanged and provide the records to the cache slot of the standardlogical device 252. Following step 314 is a step 316 where the slot ofthe standard logical device 252 is unlocked. Following step 316 is astep 318 where the slot of the active one of the cache only virtualdevices 254, 256 that is being processed is also unlocked.

If it is determined at the test step 308 that the corresponding slot ofthe standard logical device 252 is not in cache, then control transfersfrom the test step 308 to a step 322 where the track entry for the slotof the standard logical device 252 is changed to indicate that the slotof the standard logical device 252 is in cache (e.g., an IN_CACHE flagmay be set) and needs to be destaged. As discussed elsewhere herein, insome embodiments, only records of the track having appropriate mirrorbits set may need to be destaged. Following the step 322 is a step 324where a flag for the track may be set to indicate that the data for thetrack is in the cache.

Following the step 324 is a step 326 where the slot pointer for thestandard logical device 252 is changed to point to the slot in thecache. Following the step 326 is a test step 328 which determines if theoperations performed at the steps 322, 324, 326 have been successful. Insome instances, a single operation called a “compare and swap” operationmay be used to perform the steps 322, 324, 326. If these operations arenot successful for any reason, then control transfers from the step 328back to the step 308 to reexamine if the corresponding track of thestandard logical device 252 is in the cache. Otherwise, if it isdetermined at the test step 328 that the previous operations have beensuccessful, then control transfers from the test step 328 to the step318, discussed above.

Following the step 318 is a test step 332 which determines if the cacheslot of the active one of the cache only virtual devices 254, 256 (whichis being restored) is still being used. In some cases, it is possiblethat the slot for the active one of the cache only virtual devices 254,256 is still being used by another mirror. If it is determined at thetest step 332 that the slot of the cache only virtual device is notbeing used by another mirror, then control transfers from the test step332 to a step 334 where the slot is released for use by other processes(e.g., restored to pool of available slots, as discussed elsewhereherein). Following the step 334 is a step 336 to point to the next slotto process the next slot of the active one of the cache only virtualdevices 254, 256. Note that the step 336 is also reached from the teststep 332 if it is determined at the step 332 that the active one of thecache only virtual devices 254, 256 is still being used by anothermirror. Note also that the step 336 is reached from the test step 304 ifit is determined at the step 304 that, for the slot being processed, theactive one of the cache only virtual devices 254, 256 points to thestandard logical device 252. Following the step 336 is a test step 338which determines if there are more slots of the active one of the cacheonly virtual devices 254, 256 to be processed. If not, processing iscomplete. Otherwise, control transfers from the test step 338 back tothe step 304.

In another embodiment, it is possible to construct lists of modifiedslots for the received chunk of data 56 corresponding to the N−1 cycleon the remote storage device 26, such as the lists 258, 262 shown inFIG. 7. As the data is received, the remote storage device 26 constructsa linked list of modified slots. The lists that are constructed may becircular, linear (with a NULL termination), or any other appropriatedesign. The lists may then be used to restore the active one of thecache only virtual devices 254, 256.

The flow chart 300 of FIG. 9 shows two alternative paths 342, 344 thatillustrate operation of embodiments where a list of modified slots isused. At the step 302, a pointer (used for iterating through the list ofmodified slots) is made to point to the first element of the list.Following the step 302 is the step 306, which is reached by thealternative path 342. In embodiments that use lists of modified slots,the test step 304 is not needed since no slots on the list should pointto the standard logical device 252.

Following the step 306, processing continues as discussed above with theprevious embodiment, except that the step 336 refers to traversing thelist of modified slots rather than pointing to the next slot in theCOVD. Similarly, the test at the step 338 determines if the pointer isat the end of the list (or back to the beginning in the case of acircular linked list). Also, if it is determined at the step 338 thatthere are more slots to process, then control transfers from the step338 to the step 306, as illustrated by the alternative path 344. Asdiscussed above, for embodiments that use a list of modified slots, thestep 304 may be eliminated.

Referring to FIG. 10, a flow chart 350 illustrates steps performed inconnection with the local storage device 24 increasing the sequencenumber. Processing begins at a first step 352 where the local storagedevice 24 waits at least M seconds prior to increasing the sequencenumber. In an embodiment herein, M is thirty, but of course M could beany number. Larger values for M increase the amount of data that may belost if communication between the storage devices 24, 26 is disrupted.However, smaller values for M increase the total amount of overheadcaused by incrementing the sequence number more frequently.

Following the step 352 is a test step 354 which determines if all of theHA's of the local storage device 24 have set a bit indicating that theHA's have completed all of the I/O's for a previous sequence number.When the sequence number changes, each of the HA's notices the changeand sets a bit indicating that all I/O's of the previous sequence numberare completed. For example, if the sequence number changes from N−1 toN, an HA will set the bit when the HA has completed all I/O's forsequence number N−1. Note that, in some instances, a single I/O for anHA may take a long time and may still be in progress even after thesequence number has changed. Note also that, for some systems, adifferent mechanism may be used to determine if all of the HA's havecompleted their N−1 I/O's. The different mechanism may include examiningdevice tables in the memory 37.

If it is determined at the test step 354 that I/O's from the previoussequence number have been completed, then control transfers from thestep 354 to a test step 356 which determines if the inactive one of thelists 74, 76 is empty. Note that a sequence number switch may not bemade unless and until all of the data corresponding to the inactive oneof the lists 74, 76 has been completely transmitted from the localstorage device 24 to the remote storage device 26 using the RDFprotocol. Once the inactive one of the lists 74, 76 is determined to beempty, then control transfers from the step 356 to a step 358 where thecommit for the previous sequence number is sent from the local storagedevice 24 to the remote storage device 26. As discussed above, theremote storage device 26 receiving a commit message for a particularsequence number will cause the remote storage device 26 to beginrestoring the data corresponding to the sequence number.

Following the step 358 is a step 362 where the copying of data for theinactive one of the lists 74, 76 is suspended. As discussed elsewhereherein, the inactive one of the lists is scanned to send correspondingdata from the local storage device 24 to the remote storage device 26.It is useful to suspend copying data until the sequence number switch iscompleted. In an embodiment herein, the suspension is provided bysending a message to the RA's 30 a-30 c. However, it will be appreciatedby one of ordinary skill in the art that for embodiments that use othercomponents to facilitate sending data using the system described herein,suspending copying may be provided by sending appropriatemessages/commands to the other components.

Following step 362 is a step 364 where the sequence number isincremented. Following step 364 is a step 366 where the bits for theHA's that are used in the test step 354 are all cleared so that the bitsmay be set again in connection with the increment of the sequencenumber. Following step 366 is a test step 372 which determines if theremote storage device 26 has acknowledged the commit message sent at thestep 358. Acknowledging the commit message is discussed above inconnection with FIG. 8. Once it is determined that the remote storagedevice 26 has acknowledged the commit message sent at the step 358,control transfers from the step 372 to a step 374 where the suspensionof copying, which was provided at the step 362, is cleared so thatcopying may resume. Following step 374, processing is complete. Notethat it is possible to go from the step 374 back to the step 352 tobegin a new cycle to continuously increment the sequence number.

It is also possible to use COVD's on the R1 device to collect slotsassociated with active data and inactive chunks of data. In that case,just as with the R2 device, one COVD could be associated with theinactive sequence number and another COVD could be associated with theactive sequence number. This is described below.

Referring to FIG. 11, a diagram 400 illustrates items used to constructand maintain the chunks 52, 54. A standard logical device 402 containsdata written by the host 22 and corresponds to the data element 51 ofFIG. 2 and the disks 33 a-33 c of FIG. 1. The standard logical device402 contains data written by the host 22 to the local storage device 24.

Two cache only virtual devices 404, 406 are used in connection with thestandard logical device 402. The cache only virtual devices 404, 406corresponded device tables that may be stored, for example, in thememory 37 of the local storage device 24. Each track entry of the tablesof each of the cache only virtual devices 404, 406 point to either atrack of the standard logical device 402 or point to a slot of a cache408 used in connection with the local storage device 24. In someembodiments, the cache 408 may be provided in the memory 37 of the localstorage device 24.

The cache 408 contains a plurality of cache slots 412-414 that may beused in connection to writes to the standard logical device 402 and, atthe same time, used in connection with the cache only virtual devices404, 406. In an embodiment herein, each track table entry of the cacheonly virtual devices 404, 406 contains a null to point to acorresponding track of the standard logical device 402. Otherwise, anentry in the track table for each of the cache only virtual devices 404,406 contains a pointer to one of the slots 412-414 in the cache 408.

Each of the cache only virtual devices 404, 406 may be used for one ofthe chunks of data 52, 54 so that, for example, the cache only virtualdevice 404 may correspond to the chunk of data 52 for sequence number Nwhile the cache only virtual device 406 may correspond to the chunk ofdata 54 for sequence number N−1. Thus, when data is written by the host22 to the local storage device 24, the data is provided to the cache 408and an appropriate pointer of the cache only virtual device 404 isadjusted. Note that the data will not be removed from the cache 408until the data is destaged to the standard logical device 402 and thedata is also released by the cache only virtual device 404, as describedelsewhere herein.

In an embodiment herein, one of the cache only virtual devices 404, 406is deemed “active” while the other is deemed “inactive”. Thus, forexample, when the sequence number N is even, the cache only virtualdevice 404 may be active while the cache only virtual device 406 isinactive. The active one of the cache only virtual devices 404, 406handles writes from the host 22 while the inactive one of the cache onlyvirtual devices 404, 406 corresponds to the data that is beingtransmitted from the local storage device 24 to the remote storagedevice 26.

While the data that is written by the host 22 is accumulated using theactive one of the cache only virtual devices 404, 406 (for the sequencenumber N), the data corresponding to the inactive one of the cache onlyvirtual devices 404, 406 (for previous sequence number N−1) istransmitted from the local storage device 24 to the remote storagedevice 26. For this and related embodiments, the DA's 35 a-35 c of thelocal storage device handle scanning the inactive one of the cache onlyvirtual devices 404, 406 to send copy requests to one or more of theRA's 30 a-30 c to transmit the data from the local storage device 24 tothe remote storage device 26. Thus, the steps 362, 374, discussed abovein connection with suspending and resuming copying, may includeproviding messages/commands to the DA's 35 a-35 c.

Once the data has been transmitted to the remote storage device 26, thecorresponding entry in the inactive one of the cache only virtualdevices 404, 406 may be set to null. In addition, the data may also beremoved from the cache 408 (i.e., the slot returned to the pool of slotsfor later use) if the data in the slot is not otherwise needed foranother purpose (e.g., to be destaged to the standard logical device402). A mechanism may be used to ensure that data is not removed fromthe cache 408 until all mirrors (including the cache only virtualdevices 404, 406) are no longer using the data. Such a mechanism isdescribed, for example, in U.S. Pat. No. 5,537,568 issued on Jul. 16,1996 and in U.S. Pat. No. 6,594,742 issued on Jul. 15, 2003, both ofwhich are incorporated by reference herein.

Referring to FIG. 12, a flow chart 440 illustrates steps performed bythe HA 28 in connection with a host 22 performing a write operation forembodiments where two COVD's are used by the R1 device to provide thesystem described herein. Processing begins at a first step 442 where aslot corresponding to the write is locked. In an embodiment herein, eachof the slots 412-414 of the cache 408 corresponds to a track of data onthe standard logical device 402. Locking the slot at the step 442prevents additional processes from operating on the relevant slot duringthe processing performed by the HA 28 corresponding to the steps of theflow chart 440.

Following the step 442 is a step 444 where a value for N, the sequencenumber, is set. Just as with the embodiment that uses lists rather thanCOVD's on the R1 side, the value for the sequence number obtained at thestep 444 is maintained during the entire write operation performed bythe HA 28 while the slot is locked. As discussed elsewhere herein, thesequence number is assigned to each write to set the one of the chunksof data 52, 54 to which the write belongs. Writes performed by the host22 are assigned the current sequence number. It is useful that a singlewrite operation maintain the same sequence number throughout.

Following the step 444 is a test step 446, which determines if theinactive one of the cache only virtual devices 404, 406 already pointsto the slot that was locked at the step 442 (the slot being operatedupon). This may occur if a write to the same slot was provided when thesequence number was one less than the current sequence number. The datacorresponding to the write for the previous sequence number may not yethave been transmitted to the remote storage device 26.

If it is determined at the test step 446 that the inactive one of thecache only virtual devices 404, 406 does not point to the slot, thencontrol transfers from the test step 446 to another test step 448, whereit is determined if the active one of the cache only virtual devices404, 406 points to the slot. It is possible for the active one of thecache only virtual devices 404, 406 to point to the slot if there hadbeen a previous write to the slot while the sequence number was the sameas the current sequence number. If it is determined at the test step 448that the active one of the cache only virtual devices 404, 406 does notpoint to the slot, then control transfers from the test step 448 to astep 452 where a new slot is obtained for the data. Following the step452 is a step 454 where the active one of the cache only virtual devices404, 406 is made to point to the slot.

Following the step 454, or following the step 448 if the active one ofthe cache only virtual devices 404, 406 points to the slot, is a step456 where flags are set. At the step 456, the RDF_WP flag (RDF writepending flag) is set to indicate that the slot needs to be transmittedto the remote storage device 26 using RDF. In addition, at the step 456,the IN_CACHE flag is set to indicate that the slot needs to be destagedto the standard logical device 402. Note that, in some instances, if theactive one of the cache only virtual devices 404, 406 already points tothe slot (as determined at the step 448) it is possible that the RDF_WPand IN_CACHE flags were already set prior to execution of the step 456.However, setting the flags at the step 456 ensures that the flags areset properly no matter what the previous state.

Following the step 456 is a step 458 where an indirect flag in the tracktable that points to the slot is cleared, indicating that the relevantdata is provided in the slot and not in a different slot indirectlypointed to. Following the step 458 is a step 462 where the data beingwritten by the host 22 and the HA 28 is written to the slot. Followingthe step 462 is a step 464 where the slot is unlocked. Following step464, processing is complete.

If it is determined at the test step 446 that the inactive one of thecache only virtual devices 404, 406 points to the slot, then controltransfers from the step 446 to a step 472, where a new slot is obtained.The new slot obtained at the step 472 may be used for the inactive oneof the cache only virtual devices 404, 406 to effect the RDF transferwhile the old slot may be associated with the active one of the cacheonly virtual devices 404, 406, as described below.

Following the step 472 is a step 474 where the data from the old slot iscopied to the new slot that was obtained at the step 472. Following thestep 474 is a step 476 where the indirect flag (discussed above) is setto indicate that the track table entry for the inactive one of the cacheonly virtual devices 404, 406 points to the old slot but that the datais in the new slot which is pointed to by the old slot. Thus, settingindirect flag at the step 476 affects the track table of the inactiveone of the cache only virtual devices 404, 406 to cause the track tableentry to indicate that the data is in the new slot.

Following the step 476 is a step 478 where the mirror bits for therecords in the new slot are adjusted. Any local mirror bits that werecopied when the data was copied from the old slot to the new slot at thestep 474 are cleared since the purpose of the new slot is to simplyeffect the RDF transfer for the inactive one of the cache only virtualdevices. The old slot will be used to handle any local mirrors.Following the step 478 is the step 462 where the data is written to theslot. Following step 462 is the step 464 where the slot is unlocked.Following the step 464, processing is complete.

Referring to FIG. 13, a flow chart 500 illustrates steps performed inconnection with the local storage device 24 transmitting the chunk ofdata 54 to the remote storage device 26. The transmission essentiallyinvolves scanning the inactive one of the cache only virtual devices404, 406 for tracks that have been written thereto during a previousiteration when the inactive one of the cache only virtual devices 404,406 was active. In this embodiment, the DA's 35 a-35 c of the localstorage device 24 scan the inactive one of the cache only virtualdevices 404, 406 to copy the data for transmission to the remote storagedevice 26 by one or more of the RA's 30 a-30 c using the RDF protocol.

Processing begins at a first step 502 where the first track of theinactive one of the cache only virtual devices 404, 406 is pointed to inorder to begin the process of iterating through all of the tracks.Following the first step 502 is a test step 504 where it is determinedif the RDF_WP flag is set. As discussed elsewhere herein, the RDF_WPflag is used to indicate that a slot (track) contains data that needs tobe transmitted via the RDF link. The RDF_WP flag being set indicatesthat at least some data for the slot (track) is to be transmitted usingRDF. In an embodiment herein, the entire slot is not transmitted.Rather, only records within the slot that have the appropriate mirrorbits set (indicating the records have changed) are transmitted to theremote storage device 26. However, in other embodiments, it may bepossible to transmit the entire slot, provided that the remote storagedevice 26 only writes data corresponding to records having appropriatemirror bits set and ignores other data for the track, which may or maynot be valid.

If it is determined at the test step 504 that the cache slot beingprocessed has the RDF_WP flag set, then control transfers from the step504 to a test step 505, where it is determined if the slot contains thedata or if the slot is an indirect slot that points to another slot thatcontains the relevant data. In some instances, a slot may not containthe data for the portion of the disk that corresponds to the slot.Instead, the slot may be an indirect slot that points to another slotthat contains the data. If it is determined at the step 505 that theslot is an indirect slot, then control transfers from the step 505 to astep 506, where the data (from the slot pointed to by the indirect slot)is obtained. Thus, if the slot is a direct slot, the data for being sentby RDF is stored in the slot while if the slot is an indirect slot, thedata for being sent by RDF is in another slot pointed to by the indirectslot.

Following the step 506 or the step 505 if the slot is a direct slot is astep 507 where data being sent (directly or indirectly from the slot) iscopied by one of the DA's 35 a-35 c to be sent from the local storagedevice 24 to the remote storage device 26 using the RDF protocol.Following the step 507 is a test step 508 where it is determined if theremote storage device 26 has acknowledged receipt of the data. If not,then control transfers from the step 508 back to the step 507 to resendthe data. In other embodiments, different and more involved processingmay used to send data and acknowledge receipt thereof. Such processingmay include error reporting and alternative processing that is performedafter a certain number of attempts to send the data have failed.

Once it is determined at the test step 508 that the data has beensuccessfully sent, control passes from the step 508 to a step 512 toclear the RDF_WP flag (since the data has been successfully sent viaRDF). Following the step 512 is a step 514 where appropriate mirrorflags are cleared to indicate that at least the RDF mirror (R2) nolonger needs the data. In an embodiment herein, each record that is partof a slot (track) has individual mirror flags indicating which mirrorsuse the particular record. The R2 device is one of the mirrors for eachof the records and it is the flags corresponding to the R2 device thatare cleared at the step 514.

Following the step 514 is a test step 516 which determines if any of therecords of the track being processed have any other mirror flags set(for other mirror devices). If not, then control passes from the step516 to a step 518 where the slot is released (i.e., no longer beingused). In some embodiments, unused slots are maintained in a pool ofslots available for use. Note that if additional flags are still set forsome of the records of the slot, it may mean that the records need to bedestaged to the standard logical device 402 or are being used by someother mirror (including another R2 device). Following the step 518, orfollowing the step 516 if more mirror flags are present, is a step 522where the pointer that is used to iterate through each track entry ofthe inactive one of the cache only virtual devices 404, 406 is made topoint to the next track. Following the step 522 is a test step 524 whichdetermines if there are more tracks of the inactive one of the cacheonly virtual devices 404, 406 to be processed. If not, then processingis complete. Otherwise, control transfers back to the test step 504,discussed above. Note that the step 522 is also reached from the teststep 504 if it is determined that the RDF_WP flag is not set for thetrack being processed.

Referring to FIG. 14, a diagram 700 illustrates a host 702 coupled to aplurality of local storage devices 703-705. The diagram 700 also shows aplurality of remote storage devices 706-708. Although only three localstorage devices 703-705 and three remote storage devices 706-708 areshown in the diagram 700, the system described herein may be expanded touse any number of local and remote storage devices.

Each of the local storage devices 703-705 is coupled to a correspondingone of the remote storage devices 706-708 so that, for example, thelocal storage device 703 is coupled to the remote storage device 706,the local storage device 704 is coupled to the remote storage device 707and the local storage device 705 is coupled to the remote storage device708. The local storage device is 703-705 and remote storage device is706-708 may be coupled using the ordered writes mechanism describedherein so that, for example, the local storage device 703 may be coupledto the remote storage device 706 using the ordered writes mechanism. Asdiscussed elsewhere herein, the ordered writes mechanism allows datarecovery using the remote storage device in instances where the localstorage device and/or host stops working and/or loses data.

In some instances, the host 702 may run a single application thatsimultaneously uses more than one of the local storage devices 703-705.In such a case, the application may be configured to insure thatapplication data is consistent (recoverable) at the local storagedevices 703-705 if the host 702 were to cease working at any time and/orif one of the local storage devices 703-705 were to fail. However, sinceeach of the ordered write connections between the local storage devices703-705 and the remote storage devices 706-708 is asynchronous from theother connections, then there is no assurance that data for theapplication will be consistent (and thus recoverable) at the remotestorage devices 706-708. That is, for example, even though the dataconnection between the local storage device 703 and the remote storagedevice 706 (a first local/remote pair) is consistent and the dataconnection between the local storage device 704 and the remote storagedevice 707 (a second local/remote pair) is consistent, it is notnecessarily the case that the data on the remote storage devices 706,707 is always consistent if there is no synchronization between thefirst and second local/remote pairs.

For applications on the host 702 that simultaneously use a plurality oflocal storage devices 703-705, it is desirable to have the data beconsistent and recoverable at the remote storage devices 706-708. Thismay be provided by a mechanism whereby the host 702 controls cycleswitching at each of the local storage devices 703-705 so that the datafrom the application running on the host 702 is consistent andrecoverable at the remote storage devices 706-708. This functionality isprovided by a special application that runs on the host 702 thatswitches a plurality of the local storage devices 703-705 into multi-boxmode, as described in more detail below.

Referring to FIG. 15, a table 730 has a plurality of entries 732-734.Each of the entries 732-734 correspond to a single local/remote pair ofstorage devices so that, for example, the entry 732 may correspond topair of the local storage device 703 and the remote storage device 706,the entry 733 may correspond to pair of the local storage device 704 andthe remote storage device 707 and the entry 734 may correspond to thepair of local storage device 705 and the remote storage device 708. Eachof the entries 732-734 has a plurality of fields where a first field 736a-736 c represents a serial number of the corresponding local storagedevice, a second field 738 a-738 c represents a session number used bythe multi-box group, a third field 742 a-742 c represents the serialnumber of the corresponding remote storage device of the local/remotepair, and a fourth field 744 a-744 c represents the session number forthe multi-box group. The table 730 is constructed and maintained by thehost 702 in connection with operating in multi-box mode. In addition,the table 730 is propagated to each of the local storage devices and theremote storage devices that are part of the multi-box group. The table730 may be used to facilitate recovery, as discussed in more detailbelow.

Different local/remote pairs may enter and exit multi-box modeindependently in any sequence and at any time. The host 702 managesentry and exit of local storage device/remote storage device pairs intoand out of multi-box mode. This is described in more detail below.

Referring to FIG. 16, a flowchart 750 illustrates steps performed by thehost 702 in connection with entry or exit of a local/remote pair in toor out of multi-box mode. Processing begins at a first step 752 wheremulti-box mode operation is temporarily suspended. Temporarilysuspending multi-box operation at the step 752 is useful to facilitatethe changes that are made in connection with entry or exit of aremote/local pair in to or out of multi-box mode. Following the step752, is a step 754 where a table like the table 730 of FIG. 15 ismodified to either add or delete an entry, as appropriate. Following thestep 754 is a step 756 where the modified table is propagated to thelocal storage devices and remote storage devices of the multi-box group.Propagating the table at the step 756 facilitates recovery, as discussedin more detail elsewhere herein.

Following the step 756 is a step 758 where a message is sent to theaffected local storage device to provide the change. The local storagedevice may configure itself to run in multi-box mode or not, asdescribed in more detail elsewhere herein. As discussed in more detailbelow, a local storage device handling ordered writes operatesdifferently depending upon whether it is operating as part of amulti-box group or not. If the local storage device is being added to amulti-box group, the message sent at the step 758 indicates to the localstorage device that it is being added to a multi-box group so that thelocal storage device should configure itself to run in multi-box mode.Alternatively, if a local storage device is being removed from amulti-box group, the message sent at the step 758 indicates to the localstorage device that it is being removed from the multi-box group so thatthe local storage device should configure itself to not run in multi-boxmode.

Following step 758 is a test step 762 where it is determined if alocal/remote pair is being added to the multi-box group (as opposed tobeing removed). If so, then control transfers from the test step 762 toa step 764 where tag values are sent to the local storage device that isbeing added. The tag values are provided with the data transmitted fromthe local storage device to the remote storage device in a mannersimilar to providing the sequence numbers with the data. The tag valuesare controlled by the host and set so that all of the local/remote pairssend data having the same tag value during the same cycle. Use of thetag values is discussed in more detail below. Following the step 764, orfollowing the step 762 if a new local/remote pair is not being added, isa step 766 where multi-box operation is resumed. Following the step 766,processing is complete.

Referring to FIG. 17, a flow chart 780 illustrates steps performed inconnection with the host managing cycle switching for multiplelocal/remote pairs running as a group in multi-box mode. As discussedelsewhere herein, multi-box mode involves having the host synchronizecycle switches for more than one remote/local pair to maintain dataconsistency among the remote storage devices. Cycle switching iscoordinated by the host rather than being generated internally by thelocal storage devices. This is discussed in more detail below.

Processing for the flow chart 780 begins at a test step 782 whichdetermines if M seconds have passed. Just as with non-multi-boxoperation, cycle switches occur no sooner than every M seconds where Mis a number chosen to optimize various performance parameters. As thenumber M is increased, the amount of overhead associated with switchingdecreases. However, increasing M also causes the amount of data that maybe potentially lost in connection with a failure to also increase. In anembodiment herein, M is chosen to be thirty seconds, although, obviouslyother values for M may be used.

If it is determined at the test step 782 that M seconds have not passed,then control transfers back to the step 782 to continue waiting until Mseconds have passed. Once it is determined at the test step 782 that Mseconds have passed, control transfers from the step 782 to a step 784where the host queries all of the local storage devices in the multi-boxgroup to determine if all of the local/remote pairs are ready to switch.The local/remote pairs being ready to switch is discussed in more detailhereinafter.

Following the step 784 is a test step 786 which determines if all of thelocal/remote pairs are ready to switch. If not, control transfers backto the step 784 to resume the query. In an embodiment herein, it is onlynecessary to query local/remote pairs that were previously not ready toswitch since, once a local/remote pair is ready to switch, the pairremains so until the switch occurs.

Once it is determined at the test step 786 that all of the local/remotepairs in the multi-box group are ready to switch, control transfers fromthe step 786 to a step 788 where an index variable, N, is set equal toone. The index variable N is used to iterate through all thelocal/remote pairs (i.e., all of the entries 732-734 of the table 730 ofFIG. 15). Following the step 788 is a test step 792 which determines ifthe index variable, N, is greater than the number of local/remote pairsin the multi-box group. If not, then control transfers from the step 792to a step 794 where an open window is performed for the Nth localstorage device of the Nth pair by the host sending a command (e.g., anappropriate system command) to the Nth local storage device. Opening thewindow for the Nth local storage device at the step 794 causes the Nthlocal storage device to suspend writes so that any write by a host thatis not begun prior to opening the window at the step 794 will not becompleted until the window is closed (described below). Not completing awrite operation prevents a second dependant write from occurring priorto completion of the cycle switch. Any writes in progress that werebegun before opening the window may complete prior to the window beingclosed.

Following the step 794 is a step 796 where a cycle switch is performedfor the Nth local storage device. Performing the cycle switch at thestep 796 involves sending a command from the host 702 to the Nth localstorage device. Processing the command from the host by the Nth localstorage device is discussed in more detail below. Part of the processingperformed at the step 796 may include having the host provide new valuesfor the tags that are assigned to the data. The tags are discussed inmore detail elsewhere herein. In an alternative embodiment, theoperations performed at the steps 794, 796 may be performed as a singleintegrated step 797, which is illustrated by the box drawn around thesteps 794, 796.

Following the step 796 is a step 798 where the index variable, N, isincremented. Following step 798, control transfers back to the test step792 to determine if the index variable, N, is greater than the number oflocal/remote pairs.

If it is determined at the test step 792 that the index variable, N, isgreater than the number of local/remote pairs, then control transfersfrom the test step 792 to a step 802 where the index variable, N, is setequal to one. Following the step 802 is a test step 804 which determinesif the index variable, N, is greater than the number of local/remotepairs. If not, then control transfers from the step 804 to a step 806where the window for the Nth local storage device is closed. Closing thewindow of the step 806 is performed by the host sending a command to theNth local storage device to cause the Nth local storage device to resumewrite operations. Thus, any writes in process that were suspended byopening the window at the step 794 may now be completed after executionof the step 806. Following the step 806, control transfers to a step 808where the index variable, N, is incremented. Following the step 808,control transfers back to the test step 804 to determine if the indexvariable, N, is greater than the number of local/remote pairs. If so,then control transfers from the test step 804 back to the step 782 tobegin processing for the next cycle switch.

Referring to FIG. 18, a flow chart 830 illustrates steps performed by alocal storage device in connection with cycle switching. The flow chart830 of FIG. 18 replaces the flow chart 350 of FIG. 10 in instances wherethe local storage device supports both multi-box mode and non-multi-boxmode. That is, the flow chart 830 shows steps performed like those ofthe flow chart 350 of FIG. 10 to support non-multi-box mode and, inaddition, includes steps for supporting multi-box mode.

Processing begins at a first test step 832 which determines if the localstorage device is operating in multi-box mode. Note that the flow chart750 of FIG. 16 shows the step 758 where the host sends a message to thelocal storage device. The message sent at the step 758 indicates to thelocal storage device whether the local storage device is in multi-boxmode or not. Upon receipt of the message sent by the host at the step758, the local storage device sets an internal variable to indicatewhether the local storage device is operating in multi-box mode or not.The internal variable may be examined at the test step 832.

If it is determined at the test step 832 that the local storage deviceis not in multi-box mode, then control transfers from the test step 832to a step 834 to wait M seconds for the cycle switch. If the localstorage device is not operating in multi-box mode, then the localstorage device controls its own cycle switching and thus executes thestep 834 to wait M seconds before initiating the next cycle switch.

Following the step 834, or following the step 832 if the local storagedevice is in multi-box mode, is a test step 836 which determines if allof the HA's of the local storage device have set a bit indicating thatthe HA's have completed all of the I/O's for a previous sequence number.When the sequence number changes, each of the HA's notices the changeand sets a bit indicating that all I/O's of the previous sequence numberare completed. For example, if the sequence number changes from N−1 toN, an HA will set the bit when the HA has completed all I/O's forsequence number N−1. Note that, in some instances, a single I/O for anHA may take a long time and may still be in progress even after thesequence number has changed. Note also that, for some systems, adifferent mechanism may be used to determine if all HA's have completedtheir N−1 I/O's. The different mechanism may include examining devicetables. Once it is determined at the test step 836 that all HA's haveset the appropriate bit, control transfers from the test step 836 to astep 888 which determines if the inactive chunk for the local storagedevice is empty. Once it is determined at the test step 888 that theinactive chunk is empty, control transfers from the step 888 to a step899, where copying of data from the local storage device to the remotestorage device is suspended. It is useful to suspend copying data untilthe sequence number switch is complete.

Following the step 899 is a test step 892 to determine if the localstorage device is in multi-box mode. If it is determined at the teststep 892 that the local storage device is in multi-box mode, thencontrol transfers from the test step 892 to a test step 894 to determineif the active chunk of the corresponding remote storage device is empty.As discussed in more detail below, the remote storage device sends amessage to the local storage device once it has emptied its activechunk. In response to the message, the local storage device sets aninternal variable that is examined at the test step 894.

Once it is determined at the test step 894 that the active chunk of theremote storage device is empty, control transfers from the test step 894to a step 896 where an internal variable is set on a local storagedevice indicating that the local storage device is ready to switchcycles. As discussed above in connection with the flow chart 780 of FIG.17, the host queries each of the local storage devices to determine ifeach of the local storage devices are ready to switch. In response tothe query provided by the host, the local storage device examines theinternal variable set at the step 896 and returns the result to thehost.

Following step 896 is a test step 898 where the local storage devicewaits to receive the command from the host to perform the cycle switch.As discussed above in connection with the flow chart 780 of FIG. 17, thehost provides a command to switch cycles to the local storage devicewhen the local storage device is operating in multi-box mode. Thus, thelocal storage device waits for the command at the step 898, which isonly reached when the local storage device is operating in multi-boxmode.

Once the local storage device has received the switch command from thehost, control transfers from the step 898 to a step 902 to send a commitmessage to the remote storage device. Note that the step 902 is alsoreached from the test step 892 if it is determined at the step test 892that the local storage device is not in multi-box mode. At the step 902,the local storage device sends a commit message to the remote storagedevice. In response to receiving a commit message for a particularsequence number, the remote storage device will begin restoring the datacorresponding to the sequence number, as discussed above.

Following the step 902 is a step 906 where the sequence number isincremented and a new value for the tag (from the host) is stored. Thesequence number is as discussed above. The tag is the tag provided tothe local storage device at the step 764 and at the step 796, asdiscussed above. The tag is used to facilitate data recovery, asdiscussed elsewhere herein.

Following the step 906 is a step 907 where completion of the cycleswitch is confirmed from the local storage device to the host by sendinga message from the local storage device to the host. In someembodiments, it is possible to condition performing the step 907 onwhether the local storage device is in multi-box mode or not, since, ifthe local storage device is not in multi-box mode, the host is notnecessarily interested in when cycle switches occur.

Following the step 907 is a step 908 where the bits for the HA's thatare used in the test step 836 are all cleared so that the bits may beset again in connection with the increment of the sequence number.Following the step 908 is a test step 912 which determines if the remotestorage device has acknowledged the commit message. Note that if thelocal/remote pair is operating in multi-box mode and the remote storagedevice active chunk was determined to be empty at the step 894, then theremote storage device should acknowledge the commit message nearlyimmediately since the remote storage device will be ready for the cycleswitch immediately because the active chunk thereof is already empty.

Once it is determined at the test step 912 that the commit message hasbeen acknowledged by the remote storage device, control transfers fromthe step 912 to a step 914 where the suspension of copying, which wasprovided at the step 899, is cleared so that copying from the localstorage device to the remote storage device may resume. Following thestep 914, processing is complete.

Referring to FIG. 19, a flow chart 940 illustrates steps performed inconnection with RA's scanning the inactive buffers to transmit RDF datafrom the local storage device to the remote storage device. The flowchart 940 of FIG. 19 is similar to the flow chart 200 of FIG. 6 andsimilar steps are given the same reference number. However, the flowchart 940 includes two additional steps 942, 944 which are not found inthe flow chart 200 of FIG. 6. The additional steps 942, 944 are used tofacilitate multi-box processing. After data has been sent at the step212, control transfers from the step 212 to a test step 942 whichdetermines if the data being sent is the last data in the inactive chunkof the local storage device. If not, then control transfers from thestep 942 to the step 214 and processing continues as discussed above inconnection with the flow chart 200 of FIG. 6. Otherwise, if it isdetermined at the test step 942 that the data being sent is the lastdata of the chunk, then control transfers from the step 942 to the step944 to send a special message from the local storage device to theremote storage device indicating that the last data has been sent.Following the step 944, control transfers to the step 214 and processingcontinues as discussed above in connection with the flow chart 200 ofFIG. 6. In some embodiments, the steps 942, 944 may be performed by aseparate process (and/or separate hardware device) that is differentfrom the process and/or hardware device that transfers the data.

Referring to FIG. 20, a flow chart 950 illustrates steps performed inconnection with RA's scanning the inactive buffers to transmit RDF datafrom the local storage device to the remote storage device. The flowchart 950 of FIG. 20 is similar to the flow chart 500 of FIG. 13 andsimilar steps are given the same reference number. However, the flowchart 950 includes an additional step 952, which is not found in theflow chart 500 of FIG. 13. The additional steps 952 is used tofacilitate multi-box processing and is like the additional step 944 ofthe flowchart 940 of FIG. 19. After it is determined at the test step524 that no more slots remain to be sent from the local storage deviceto the remote storage device, control transfers from the step 524 to thestep 952 to send a special message from the local storage device to theremote storage device indicating that the last data for the chunk hasbeen sent. Following the step 952, processing is complete.

Referring to FIG. 21, a flow chart 960 illustrates steps performed atthe remote storage device in connection with providing an indicationthat the active chunk of the remote storage device is empty. The flowchart 960 is like the flow chart 300 of FIG. 9 except that the flowchart 960 shows a new step 962 that is performed after the active chunkof the remote storage device has been restored. At the step 962, theremote storage device sends a message to the local storage deviceindicating that the active chunk of the remote storage device is empty.Upon receipt of the message sent at the step 962, the local storagedevice sets an internal variable indicating that the inactive buffer ofthe remote storage device is empty. The local variable is examined inconnection with the test step 894 of the flow chart 830 of FIG. 18,discussed above.

Referring to FIG. 22, a diagram 980 illustrates the host 702, localstorage devices 703-705 and remote storage devices 706-708, that areshown in the diagram 700 of FIG. 14. The Diagram 980 also includes afirst alternative host 982 that is coupled to the host 702 and the localstorage devices 703-705. The diagram 980 also includes a secondalternative host 984 that is coupled to the remote storage devices706-708. The alternative hosts 982, 984 may be used for data recovery,as described in more detail below.

When recovery of data at the remote site is necessary, the recovery maybe performed by the host 702 or, by the host 982 provided that the linksbetween the local storage devices 703-705 and the remote storage devices706-708 are still operational. If the links are not operational, thendata recovery may be performed by the second alternative host 984 thatis coupled to the remote storage devices 706-708. The second alternativehost 984 may be provided in the same location as one or more of theremote storage devices 706-708. Alternatively, the second alternativehost 984 may be remote from all of the remote storage devices 706-708.The table 730 that is propagated throughout the system is accessed inconnection with data recovery to determine the members of the multi-boxgroup.

Referring to FIG. 23, a flow chart 1000 illustrates steps performed byeach of the remote storage devices 706-708 in connection with the datarecovery operation. The steps of the flowchart 1000 may be executed byeach of the remote storage devices 706-708 upon receipt of a signal or amessage indicating that data recovery is necessary. In some embodiments,it may be possible for a remote storage device to automatically sensethat data recovery is necessary using, for example, conventionalcriteria such as length of time since last write.

Processing begins at a first step 1002 where the remote storage devicefinishes restoring the active chunk in a manner discussed elsewhereherein. Following the step 1002 is a test step 1004 which determines ifthe inactive chunk of the remote storage device is complete (i.e., allof the data has been written thereto). Note that a remote storage devicemay determine if the inactive chunk is complete using the message sentby the local storage device at the steps 944, 952, discussed above. Thatis, if the local storage device has sent the message at the step 944 orthe step 952, then the remote storage device may use receipt of thatmessage to confirm that the inactive chunk is complete.

If it is determined at the test step 1004 that the inactive chunk of theremote storage device is not complete, then control transfers from thetest step 1004 to a step 1006 where the data from the inactive chunk isdiscarded. No data recovery is performed using incomplete inactivechunks since the data therein may be inconsistent with the correspondingactive chunks. Accordingly, data recovery is performed using activechunks and, in some cases, inactive chunks that are complete. Followingthe step 1006, processing is complete.

If it is determined at the test step 1004 that the inactive chunk iscomplete, then control transfers from the step 1004 to the step 1008where the remote storage device waits for intervention by the host. Ifan inactive chunk, one of the hosts 702, 982, 984, as appropriate, needsto examine the state of all of the remote storage devices in themulti-box group to determine how to perform the recovery. This isdiscussed in more detail below.

Following step 1008 is a test step 1012 where it is determined if thehost has provided a command to all storage device to discard theinactive chunk. If so, then control transfers from the step 1012 to thestep 1006 to discard the inactive chunk. Following the step 1006,processing is complete.

If it is determined at the test step 1002 that the host has provided acommand to restore the complete inactive chunk, then control transfersfrom the step 1012 to a step 1014 where the inactive chunk is restoredto the remote storage device. Restoring the inactive chunk in the remotestorage device involves making the inactive chunk an active chunk andthen writing the active chunk to the disk as described elsewhere herein.Following the step 1014, processing is complete.

Referring to FIG. 24, a flow chart 1030 illustrates steps performed inconnection with one of the hosts 702, 982, 984 determining whether todiscard or restore each of the inactive chunks of each of the remotestorage devices. The one of the hosts 702, 982, 984 that is performingthe restoration communicates with the remote storage devices 706-708 toprovide commands thereto and to receive information therefrom using thetags that are assigned by the host as discussed elsewhere herein.

Processing begins at a first step 1032 where it is determined if any ofthe remote storage devices have a complete inactive chunk. If not, thenthere is no further processing to be performed and, as discussed above,the remote storage devices will discard the incomplete chunks on theirown without host intervention. Otherwise, control transfers from thetest step 1032 to a test step 1034 where the host determines if all ofthe remote storage devices have complete inactive chunks. If so, thencontrol transfers from the test step 1034 to a test step 1036 where itis determined if all of the complete inactive chunks of all of theremote storage devices have the same tag number. As discussed elsewhereherein, tags are assigned by the host and used by the system to identifydata in a manner similar to the sequence number except that tags arecontrolled by the host to have the same value for the same cycle.

If it is determined at the test step 1036 that all of the remote storagedevices have the same tag for the inactive chunks, then controltransfers from the step 1036 to a step 1038 where all of the inactivechunks are restored. Performing the step 1038 ensures that all of theremote storage devices have data from the same cycle. Following the step1038, processing is complete.

If it is determined at the test step 1034 that all of the inactivechunks are not complete, or if it is determined that at the step 1036that all of the complete inactive chunks do not have the same tag, thencontrol transfers to a step 1042 where the host provides a command tothe remote storage devices to restore the complete inactive chunkshaving the lower tag number. For purposes of explanation, it is assumedthat the tag numbers are incremented so that a lower tag numberrepresents older data. By way of example, if a first remote storagedevice had a complete inactive chunk with a tag value of three and asecond remote storage device had a complete inactive chunk with a tagvalue of four, the step 1042 would cause the first remote storage device(but not the second) to restore its inactive chunk. Following the step1042 is a step 1044 where the host provides commands to the remotestorage devices to discard the complete inactive buffers having a highertag number (e.g., the second remote storage device in the previousexample). Following step 1044, processing is complete.

Following execution of the step 1044, each of the remote storage devicescontains data associated with the same tag value as data for the otherones of the remote storage devices. Accordingly, the recovered data onthe remote storage devices 706-708 should be consistent.

Referring to FIG. 25, a diagram 1120 illustrates an embodiment where astorage device 1124, which is like the storage device 24 and/or thestorage device 26, includes a plurality of directors 1152 a-1152 c thatare coupled to a memory 1126, like the memory 37 and/or the memory 38 ofthe storage devices 24, 26. Each of the directors 1152 a-1152 crepresents an HA, DA, and/or RA like the HA 28, the DA's 35 a-35 c, 36a-36 c, and/or the RA's 30 a-30 c, 32 a-32 c of the storage devices. Inan embodiment disclosed herein, there may be up to sixteen directorscoupled to the memory 1126. Of course, for other embodiments, there maybe a higher or lower maximum number of directors that may be used.

The diagram 1120 also shows an optional communication module (CM) 1154that provides an alternative communication path between the directors1152 a-1152 c. Each of the directors 1152 a-1152 c may be coupled to theCM 1154 so that any one of the directors 1152 a-1152 c may send amessage and/or data to any other one of the directors 1152 a-1152 cwithout needing to go through the memory 1126. The CM 1154 may beimplemented using conventional MUX/router technology where a sending oneof the directors 1152 a-1152 c provides an appropriate address to causea message and/or data to be received by an intended receiving one of thedirectors 1152 a-1152 c. In addition, a sending one of the directors1152 a-1152 c may be able to broadcast a message to all of the otherdirectors 1152 a-152 c at the same time.

Refer to FIG. 26, a diagram 1200 illustrates a system that includes asource group 1202, a local destination 1204, and a remote destination1206. The source group 1202 communicates with both the local destination1204 and the remote destination 1206. The source group 1202 mayrepresent a single storage device, a plurality of storage devices, asingle or plurality of storage devices with a single host, or a singleor plurality of storage devices with multiple hosts. Data is generatedat the source group 1202 and stored at the source group 1202 andtransmitted to the local destination 1204 and the remote destination1206. In some embodiments, the local group may operate in some ways asdiscussed above in connection with the embodiment described above inconnection with FIG. 14.

In an embodiment herein, the local destination 1204 represents a singleor plurality of storage devices that are in relatively close proximityto the source group 1202 to allow for synchronous data mirroring fromthe source group 1202 to the local destination 1204. In an embodimentherein, the local destination 1204 is located in the same building, atthe same facility, and/or at the same corporate location as the sourcegroup 1202. Thus, for example, the local destination 1204 may representa backup storage device (or plurality of storage devices) managed by thesame group of individuals that manages the source group 1202.

The remote destination 1206 represents a storage device and/or aplurality of storage devices at a location that is geographicallydistant from the source group 1202. For example, the remote destination1206 may represent a storage device or group of storage devices on thewest coast of the United States while the source group 1202 is locatedon the east coast of the United States. Because of the relatively largegeographic distance between the source group 1202 and the remotedestination 1206, it may be impractical to use a synchronous orsemi-synchronous data transfer mode to mirror data on the remotedestination 1206 from the source group 1202. That is, because of thelong round trip time from the source group 1202 to the remotedestination 1206 and back to the source group 1202, it may not befeasible to use synchronous or semi-synchronous data mirroring whichprovides for acknowledgment of data at the remote destination 1206 priorto acknowledging a write to a host of the local group 1202. In suchcase, it may be possible to use ordered writes between the source group1202 and the remote destination 1206 so that the remote destination 1206is a consistent, although somewhat time delayed, mirror of the sourcegroup 1202.

A communication path 1208 may also exist between the local destination1204 and the remote destination 1206. As long as the source group 1202is operational, the communication path 1208 may not be used. However, ininstances where the source group 1202 becomes non-operational and/or ininstances where the communication links between the source group 1202and one or both of the local destination 1204 and the remote destination1206 become non-operational, then the communication path 1208 may beused to synchronize the data between the local destination 1204 and theremote destination 1206, as described in more detail elsewhere herein.In addition, a host may be provided to one of the local destination 1204or the remote destination 1206 to resume operation of the system aftersynchronization, as described in more detail elsewhere herein. Note thatif the operation is resumed with a host coupled to the local destination1204, then the communication link 1208 may be used so that the remotedestination 1206 is a mirror of the local destination 1204. Conversely,if operation is resumed by providing a host to the remote destination1206, then the communication link 1208 may be used so that the localdestination 1204 is a mirror of the remote destination 1206.

Referring to FIG. 27, a flow chart 1230 illustrates steps performed inconnection with initializing parameters at the local destination 1204 toprovide the recovery mechanism discussed herein. The recovery mechanismdescribed herein uses the Symmetrix Differential Data Facility (SDDF),which allows for a plurality sessions, each having a bitmap associatedtherewith with bits that are set to one whenever there is a write to acorresponding data location during a particular time period. If no writeoccurs to a particular location, the corresponding bit remains cleared(i.e., remains zero). In an embodiment herein, each bit may correspondto a track of data. However, for other embodiments, it is possible tohave each bit correspond to larger or smaller increments of data and itis also possible that different bits and/or different sets of bitscorrespond to different amounts of data.

Operations associated with an SDDF session include creating an SDDFsession, activating an SDDF session, clearing bits of the bitmap for anSDDF session, deactivating an SDDF session, and terminating an SDDFsession. Creating an SDDF session, clearing the bits thereof, andterminating an SDDF session are fairly self-explanatory. Activating anSDDF session causes a bit of the SDDF session bitmap to be set whenevera corresponding track (or other appropriate data increment) is written.Deactivating an SDDF session suspends the setting of bits. The SDDFmechanism discussed herein may be implemented using the descriptionprovided in U.S. Pat. No. 6,366,986, which is incorporated by referenceherein.

Processing for the flow chart 1230 begins at a first step 1232 where afirst SDDF session, SDDF_(—)1, is created. In an embodiment describedherein, creation of an SDDF session does not cause automatic activationof the session. Following step 1232 is a step 1234 where the bits of thebitmap of the SDDF session created at the step 1232 are cleared.Following step 1234 is a step 1236 where a second SDDF session,SDDF_(—)2, is created. Following step 1236 is a step 1238 where the bitsof the bitmap of the SDDF session created at the step 1236 are cleared.

Following the step 1238 is a step 1242 where a state is initialized. Thestate initialized at the step 1242 may be used to determine which of theSDDF sessions, SDDF_(—)1 or SDDF_(—)2, will be activated. As describedin more detail elsewhere herein, there may be two possible states andthe state set at the step 1242 may be toggled to cause the SDDF_(—)1session and the SDDF_(—)2 session to be alternatively activated. Inother embodiments, a token or some other type of variable may be used toindicate the selection of either SDDF_(—)1 or SDDF_(—)2. Following thestep 1242 is a step 1244 where SDDF_(—)1 is activated. ActivatingSDDF_(—)1 at the step 1244 causes the bits of the bit map of theSDDF_(—)1 session to be set whenever a track (or other data increment)of the local destination 1204 is modified.

The SDDF_(—)1 and SDDF_(—)2 sessions are used by the local destination1204 to keep track of the active and inactive buffers used by the sourcegroup 1202 in connection with ordered writes by the source group 1202 tothe remote destination 1206. As discussed in more detail elsewhereherein, each time the source group 1202 makes a cycle switch inconnection with ordered writes from the source group 1202 to the remotedestination 1206, the source group 1202 sends a message to the localdestination 1204 indicating that a cycle switch has been performed sothat the local destination 1204 may toggle the state (initialized in thestep 1242, discussed above). Use of the cycle switch information by thelocal destination 1204 is discussed in more detail elsewhere herein.

Referring to FIG. 28A, a flow chart 1250 illustrates steps performed bythe local destination 1204 in connection with receiving an I/O from thesource group 1202 during normal (i.e., non-failure) operation.Processing begins at a first step 1252 where the I/O is received by thelocal destination 1204. Following the step 1252 is a test step 1254which determines if the I/O received from the source group 1202indicates that the local group 1202 is ready to switch in connectionwith ordered writes between the local group 1202 and the remotedestination 1206. The local group 1202 being ready to switch isdescribed in more detail elsewhere herein.

If the received data indicates that the local group 1202 is ready toswitch, then control transfers from the step 1254 to a step 1256, whereit is determined if the inactive one of the SDDF sessions (SDDF_(—)1 orSDDF_(—)2) is clear. In some embodiments, the SDDF sessions may becleared at the step 1256. In other instances, the amount of time neededto clear an SDDF session at the step 1256 would be unacceptable, inwhich case more than two SDDF sessions may be used for SDDF_(—)1 andSDDF_(—)2 and may be rotated so that an SDDF session that is about to beactivated is always cleared asynchronously. In any event, the processingperformed at the step 1256 relates to clearing the inactive one ofSDDF_(—)1 and SDDF_(—)2 so that, after performing the step 1256, theinactive session is clear.

Following the step 1256 is a step 1258 where the inactive one of theSDDF sessions is activated so that both SDDF_(—)1 and SDDF_(—)2 areactivated after performing the processing at the step 1258. Thus,subsequent writes reflected in the bitmaps for both SDDF_(—)1 andSDDF_(—)2. Following the step 1258, processing is complete.

If it is determined at the step 1254 that the received data does notcorrespond to a ready to switch signal, then control transfers from thestep 1254 to a test step 1262 where it is determined if the receiveddata corresponds to a cycle switch being performed. If so, then controltransfers from the step 1262 to a step 1264 where the state, initializedat the step 1242 of the flow chart 1230 of FIG. 27, is toggled. Asdiscussed elsewhere herein, the state is used to determine which one ofSDDF_(—)1 and SDDF_(—)2 will be activated and deactivated. Following thestep 1264 is a step 1266, where one of the SDDF sessions, SDDF_(—)1 orSDDF_(—)2, is deactivated, depending on the particular value of thestate set at the step 1264. Note that even though an SDDF session isdeactivated at the step 1266, that SDDF session is not cleared until thenext ready to switch signal is received. Of course, if more than twoSDDF sessions are used for SDDF_(—)1 and SDDF_(—)2, as discussed above,then the SDDF session deactivated at the step 1266 may be maintainedwhile another SDDF session is cleared to prepare for being activated atthe step 1258, discussed above.

If it is determined at the step 1262 that the received data does notcorrespond to a cycle switch, then control transfers from the test step1262 to a step 1268 where the I/O is performed. For example, if the I/Ois a write operation, then, at the step 1268, data is written to thestorage area of the local destination 1204. Following step 1268 is astep 1272 where it is determined if the I/O operation is a writeoperation. If not (e.g., the I/O operation is a read operation), thenprocessing is complete. Otherwise, control transfers from the step 1272to a step 1274 where a bit is set in the appropriate one of the SDDFsessions, SDDF_(—)1, SDDF_(—)2, or both depending upon which one of theSDDF sessions is activated. Following step 1274, processing is complete.

In some instances, it may not be desirable to wait to clear an SDDFbitmap just prior to pointing the same SDDF bitmap. In those cases, itmay be useful to have more than two SDDF bitmaps where two at a time areused like SDDF_(—)1 and SDDF_(—)2 while the remainder of the SDDFbitmaps are already clear and waiting to be used or are being clearedusing a background process. For example, using three bitmaps SDDF_A,SDDF_B, and SDDF_C, SDDF_(—)1 may correspond to SDDF_A while SDDF_(—)2may correspond to SDDF_C. In such a case, SDDF_B may be cleared whileprocessing is being performed on SDDF_A and SDDF_C. When the cycleswitches, SDDF_B (which is already clear) may be used while SDDF_C iscleared using a background process that may run even after the cycleswitch is complete and new data is being logged to SDDF_B.

Referring to FIG. 28B, a flow chart 1280 illustrates an alternativeembodiment that uses a plurality of SDDF bitmaps, SDDF[0], SDDF[1], . .. SDDF[NMAPS−1], where NMAPS is the number of SDDF maps. In anembodiment herein, NMAPS is greater than two (e.g., three). Many of thestep of the flow chart 1280 are like steps of the flow chart 1250 ofFIG. 28A.

Processing begins at a first step 1282 where the I/O is received by thelocal destination 1204. Following the step 1282 is a test step 1283which determines if the I/O received from the source group 1202indicates that the local group 1202 is ready to switch in connectionwith ordered writes between the local group 1202 and the remotedestination 1206. The local group 1202 being ready to switch isdescribed in more detail elsewhere herein.

If the received data indicates that the local group 1202 is ready toswitch, then control transfers from the step 1283 to a step 1284 wherean index, K, is incremented and the result thereof is set to moduloNMAPS. Following the step 1284 is a step 1285, where it is confirmedthat SDDF[K] is clear. Following the step 1285 is a step 1286 whereSDDF[K] is activated so that both SDDF[K] and SDDF[K-1] are activatedafter performing the processing at the step 1286. Thus, subsequentwrites reflected in the bitmaps for both SDDF[K] and SDDF[K-1].Following the step 1286, processing is complete. Note that, if K iszero, then SDDF[K-1] actually refers to SDDF[NMAPS−1].

If it is determined at the step 1283 that the received data does notcorrespond to a ready to switch signal, then control transfers from thestep 1283 to a test step 1287, where it is determined if the receiveddata corresponds to a cycle switch. If it is determined at the step 1287that the received data corresponds to a cycle switch (see discussionabove in connection with the flow chart 1250 of FIG. 28A), then controltransfers from the step 1287 to a step 1288 where the state (discussedabove) is toggled. Following the step 1288 is a step 1289 where avariable J is set equal to (K−2) modulo NMAPS. Since K is an indexvariable used to keep track of the most recently activated SDDF bitmap,setting J at the step 1289 causes J to point to the third most recentlyactivated SDDF bitmap. Following the step 1289 is a step 1292 where aprocess is started to clear the SDDF[J] bitmap. As discussed elsewhereherein, it is not necessary for the process begun at the step 1292 to becompleted in order to complete the cycle switch and to beginaccumulating new data.

Following the step 1292 is a step 1294 where a variable J is set equalto (K−1) modulo NMAPS. Since K is an index variable used to keep trackof the most recently activated SDDF bitmap, setting J at the step 1294causes J to point to the second most recently activated SDDF bitmap.Following the step 1294 is a step 1296 where SDDF[J] is deactivated.However, even though SDDF[J] is deactivated at the step 1296, the datais maintained for restoration purposes until the next cycle switch.Following the step 1296, processing is complete.

Referring to FIG. 28C, a flow chart 1300 illustrates yet anotherembodiment for processing related to the local destination 1204receiving an I/O from the source group 1202 during normal (i.e.,non-failure) operation. Processing begins at a first step 1302 where theI/O is received by the local destination 1204. Following the step 1302is a test step 1304 where it is determined if the received datacorresponds to a cycle switch being performed. If so, then controltransfers from the step 1304 to a test step 1306 where it is determinedif two or more cycle switches have occurred since the last time thestate was toggled. If not, then processing is complete. Otherwise,control transfers from the step 1306 to a step 1307 where it isdetermined if the currently inactive SDDF session, SDDF_X, is clear. Ifso, then control transfers from the step 1307 to a step 1308 where thestate, initialized at the step 1242 of the flow chart 1230 of FIG. 27,is toggled. As discussed elsewhere herein, the state is used todetermine which one of SDDF_(—)1 and SDDF_(—)2 will be activated anddeactivated.

Following the step 1308 is a step 1309 where one of the SDDF sessions,SDDF_(—)1 or SDDF_(—)2, as indicated by the state, is activated.Following the step 1309 is a step 1312 where the other one of the SDDFsessions is deactivated. Following the step 1312, processing iscomplete.

If it is determined at the test step 1307 that SDDF_X is not clear, thencontrol transfers from the step 1307 to a step 1313, where it isdetermined if clearing SDDF_X has already been started (i.e., in aprevious iteration). If so, then processing is complete. Otherwise,control transfers from the step 1313 to a step 1314, where a process toclear SDDF_X is begun. Following the step 1314, processing is complete.

If it is determined at the step 1304 that the received data does notcorrespond to a cycle switch, then control transfers from the test step1304 to a step 1316 where the I/O is performed. For example, if the I/Ois a write operation, then, at the step 1316 data is written to thestorage area of the local destination 1204. Following step 1316 is astep 1317 where it is determined if the I/O operation is a writeoperation. If not (e.g., the I/O operation is a read operation), thenprocessing is complete. Otherwise, control transfers from the step 1317to a step 1318 where a bit is set in the appropriate one of the SDDFsessions, SDDF_(—)1 or SDDF_(—)2, (SDDF_X or SDDF_Y) depending uponwhich one of the SDDF sessions is activated. Following step 1318,processing is complete.

Referring to FIG. 29, a flow chart 1320 illustrates steps performed inconnection with collecting recovery data at the remote destination 1206.Unlike the local destination 1204, which is always collecting recoverydata during steady state operation, the remote destination 1206 may notcollect recovery data unless and until it receives a signal to do so. Inan embodiment herein, the source group 1202 may provide such a signal tothe remote destination 1206 when, for example, the source group 1202detects that the link(s) between the source group 1202 and the localdestination 1204 are not working and/or when the source group 1202detects that the local destination 1204 is not appropriately receivingor processing data. In other embodiments or in other situations, theremote destination 1206 may receive an appropriate signal from alocation or element other than the source group 1202.

Processing begins at a first step 1322 where a third SDDF session,SDDF_(—)3 is created. Following the step 1322 is a step 1324 where thebitmap of the SDDF session created at the step 1322 is cleared.Following step 1324 is a step 1326 where a token value (described inmore detail elsewhere herein) is set to zero. Following the step 1326,processing is complete.

Referring to FIG. 30, a flow chart 1330 illustrates steps performed bythe remote destination 1206 in connection with collection of recoverydata. Processing begins at a first step 1331 where the remotedestination 1206 waits for a failure message from the source group 1202or from some other source, as appropriate. Once a failure message hasbeen received, control transfers from the step 1331 to a step 1332 whereSDDF_(—)3 session is activated to begin collecting data regarding thetracks (or other appropriate data increments) of the remote destination1206 to which a write has been performed. Note, however, that SDDF_(—)3reflects writes that have been committed (i.e., are one behind thecurrent cycle being received).

Following the step 1332 is a step 1333 where a token value (describedbelow) is initialized to zero. Following the step 1333 is a step 1334where the remote destination 1206 receives an I/O from the source group1202. Note that the I/O received at the step 1334 may represent orderedwrites data that the local group 1202 sends to the remote destination1206 in non-failure mode.

Following the step 1334 is a test step 1336 which determines if the I/Oreceived from the source group 1202 at the step 1334 indicates a cycleswitch by the source group 1202. If not (i.e., the data is conventionalordered writes data to be written to the remote destination 1206 or someother type of data), then control transfers from the test step 1336 backto the step 1334 to receive the next I/O.

If it is determined at the test step 1336 that the data from the sourcegroup 1202 indicates a cycle switch, then control transfers from thetest step 1336 to a step 1338 to increment the token, which keeps trackof the number of cycle switch since beginning collection of recoverydata. Following the step 1338 is a step 1342 where the bitmap of theSDDF_(—)3 is set to reflect data of the committed cycle that had beenwritten. Note that the processing at the step 1342 may be performedautomatically in connection with operation of the activated SDDFsessions, in which case in may not be necessary to make the step 1342part of the recovery process shown if FIG. 30.

Note that the committed cycle is the cycle used to collect data prior tothe cycle switch. Following the step 1342 is a test step 1344 whichdetermines if processing is complete (i.e., collection of error recoverydata is complete). Processing may be complete if the error situation(e.g., failed link from the local group 1202 to the local destination1204) has been rectified or, for example, if the local destination 1204and the remote destination 1206 are being synchronized (discussedbelow). If it is determined at the step 1344 that processing is notcomplete, then control transfers from the test step 1344 back to thestep 1334 to receive another I/O. Otherwise, control transfers from thestep 1344 back to the step 1331 to wait for a new failure message. Notethat, in some embodiments, processing being complete at the step 1344may also cause certain recovery parameters to be reset, as discussed inmore detail below.

Referring to FIG. 31, a flow chart 1360 indicates steps performed inconnection with synchronizing the local destination 1204 and the remotedestination 1206. As discussed above, the local destination 1204 and theremote destination 1206 may be synchronized by transferring datatherebetween using the communication link 1208. After synchronization,the system may be restarted at the local destination 1204 or at theremote destination 1206 using the other as a mirror.

In connection with the synchronization, it may be useful to decide whichof the local destination 1204 and remote destination 1206 has the latest(i.e., the most up-to-date) data so that the data is transferred fromthe one of the remote destination 1206 and local destination 1204 thathas the most up-to-date data to the other.

Processing for the flow chart 1360 begins at a first step 1362, wherethe links are dropped between the source group 1202 and the localdestination 1204 and the links are dropped between the source group 1202and the remote destination 1206. Dropping the links at the step 1362helps ensure that the synchronization process will not be corrupted.Following the step 1362 is a step 1364 where the SDDF maps, createdwhile recovery information was being collected, is preserved. Followingthe step 1364 is a step 1366 where ordered writes between the sourcegroup 1202 and the local destination 1204 is terminated, for reasonssimilar to dropping the links at the step 1362.

Following the step 1366 is a test step 1368 where it is determined ifthe token value (discussed above) is greater than a predetermined valueN. Note that the token value indicates the number of cycle switches thathave occurred since collection of error recovery data began at theremote destination 1206. If the link between the source group 1202 andthe local destination 1204 has not been working and the remotedestination 1206 has begun collection of recovery data, then the remotedestination 1206 may contain more up-to-date data than the localdestination 1204. This will be determined by looking at the value of thetoken, which indicates the number of cycle switches that have occurredsince the remote destination 1206 received a signal to begin collectingrecovery data. Thus, if it is determined at the test step 1368 that thetoken is greater than some pre-determined value N (e.g., two), thencontrol transfers from the test step 1368 to a step 1371, where thebitmaps for all of the SDDF sessions (SDDF_(—)1, SDDF_(—)2, andSDDF_(—)3) are ORed (using an inclusive OR) to determine the tracks (orother data amounts) of the remote destination 1206 and possibly of thelocal destination 1204 that correspond to data for the active andinactive buffers sent or in transit between the source group 1202 andthe remote destination 1206 prior to failure of the source group as wellas possible data that may be different on the local destination 1204.

Following the step 1371 is a step 1372 where the remote destination 1206sends data from the tracks corresponding to the set bits of the bitmapthat was the result or ORing the three bitmaps for SDDF_(—)1, SDDF_(—)2,and SDDF_(—)3. The data from these tracks may be copied to the localdestination 1204 so that the remote destination 1206 and the localdestination 1204 may be synchronized. Following the step 1372,processing is complete. In an embodiment herein, N may be set to be nolower than two. Also, note that it may be possible to resume operationwith a host coupled to an appropriate one of the local destination 1204or the remote destination 1206 prior to completion of the copiesinitiated at the step 1376 or at the step 1372.

If it is determined at the test step 1368 that the token does not have avalue greater than N (e.g., the token is zero), then control transfersfrom the test step 1368 to a step 1374 where the bitmaps for all of theSDDF sessions (SDDF_(—)1, SDDF_(—)2, and, if it exists, SDDF_(—)3) areORed (using an inclusive OR) to determine the tracks (or other dataamounts) of the local destination 1204 that correspond to data for theactive and inactive buffers sent or in transit between the source group1202 and the remote destination 1206 prior to failure of the sourcegroup 1202. Following the step 1374 is a step 1376 where the datacorresponding to the ORing of the bitmaps is sent from the localdestination 1204 to the remote destination 1206 via the communicationlink 1208. Once the data is sent from the local destination 1204 to theremote destination 1206, then the local destination 1204 and the remotedestination 1206 will be synchronized. Following the step 1376,processing is complete.

The step 1372, 1374, 1376 may be accomplished using any number ofappropriate techniques. For example, a background copy may be initiatedto copy the data using bits indicated by the result of ORing the bitmapsof the SDDF sessions. In an embodiment herein, the steps 1372, 1374,1376 are performed using RDF, where an R1/R2 pair is first establishedusing, for example, the Dynamic RDF mechanism disclosed in U.S. patentapplication Ser. No. 09/997,810, which is incorporated by referenceherein. Following that, the bitmaps may be used to modify device tablemaps in one or both of the local destination 1204 and the remotedestination 1206 to cause the RDF mechanism to perform a backgroundcopy.

Referring to FIG. 32, a flow chart 1380 illustrates in more detail stepsperformed in connection with the terminate ordered writes step 1366 ofthe flow chart 1360 of FIG. 31. Note that the processing of FIG. 32illustrates clean up when the source group 1202 uses a single storagedevice. In instances where the source group 1202 includes more than onestorage device, then the processing illustrated by the FIG. 23 may beused instead.

Processing begins at a first test step 1382 where it is determined ifall of the ordered writes data received by the remote destination 1206from the source group 1202 has been completely processed (saved by theremote destination). That is, at the test step 1382, it is determined ifthere is any data at the remote destination 1206 corresponding toordered writes cycles that have not been stored on the disk space of theremote destination 1206 or at least in the cache and marked for write tothe disk space. If it is determined at the test step 1382 that allordered writes data has been processed at the remote destination 1206,then processing is complete.

If it is determined at the test step 1382 that some of the orderedwrites data from the source group 1202 has not been processed, thencontrol transfers from the test step 1382 to a test step 1384 whichdetermines if the received, but unprocessed, ordered writes data at theremote destination 1206 corresponds to a complete ordered writes cycle.Note that, as the source group 1202 sends data corresponding to aparticular cycle to the remote destination 1206, the cycle at the remotedestination 1206 is not complete unless and until a commit message issent from the source group 1202 to the remote destination 1206. If it isdetermined at the test step 1384 that the unprocessed data correspondsto a complete ordered write cycle, then control transfers from the teststep 1384 to a step 1385 where the data for the cycle is stored bysaving the data to the disk of the remote destination 1206 and/ormarking the data in the cache of the remote storage device 1206 forwrite to the disk thereof. Following the step 1385, processing iscomplete.

If it is determined at the test step 1384 that the unprocessed orderedwrites data from the source group 1202 does not correspond to a completecycle, then control transfers from the test step 1384 to a step 1386where invalid bits are set on the device table of the remote destination1206. The invalid bits set at the step 1386 indicate that tracks (orsome other data increment) of the remote destination 1206 containinvalid data and thus need to be copied from another device to bebrought up-to-date. In this instance, the other device may be the localdestination 1204, depending upon which of the local destination 1204 andthe remote destination 1206 contains the most up-to-date information.The particular tracks (or other data elements) that are set to invalidin the device table of the remote destination 1206 correspond to thetracks indicated by the unprocessed ordered writes data received fromthe source group 1202. Following step 1386 is a step 1387 where theunprocessed ordered writes data for the incomplete cycle is discarded.Following step 1387, processing is complete.

Referring to FIG. 33, a flow chart 1390 illustrates in more detail stepsperformed in connection with the step 1376 where data is copied from thelocal destination 1204 to the remote destination 1206 or the step 1372where data is copied from the remote destination 1206 to the localdestination 1204. Processing begins at a first step 1392 where the OR ofSDDF_(—)1, SDDF_(—)2, and SDDF_(—)3 (from the step 1374) is used to seta device table at whichever one of the local destination 1204 and theremote destination 1206 will be the R1 device after recovery. If data isto be copied from the R1 device to the R2 device, then the device tablelocations corresponding to remote tracks are set at the step 1392.Otherwise, if data is to be copied from the R2 device to the R1 device,then the device table locations corresponding to local tracks are set atthe step 1392. In many instances, the tracks corresponding to themodification of the table at the step 1392 will be the same or asuperset of the modification to the table from the step 1386, discussedabove.

Following step 1392 is a step 1396 where the background copy process isbegun. The background copy process begun at the step 1396 causes data tocopied in a background process. Following step 1396, processing iscomplete.

Referring to FIG. 34, a flow chart 1450 illustrates steps performed inconnection with reinitializing the recovery parameters once normaloperation is restored between the source group 1202, the localdestination 1204, and the remote destination 1206. Processing begins ata first step 1452 where both of the SDDF sessions, SDDF_(—)1 andSDDF_(—)2, are deactivated. Following the step 1452 is a step 1454 whereSDDF_(—)1 is cleared. Following step 1454 is a step 1456 where SDDF_(—)2is cleared. Following the step 1456 is a step 1458 with a pointer thatpoints to one of the SDDF sessions is made to point SDDF_(—)1. Followingstep 1458 is a step 1462 where SDDF_(—)1 is activated. Following step1462, processing is complete.

Referring to FIG. 35, a flow chart 1470 illustrates steps performed inconnection with resetting recovery parameters used by the remotedestination 1206. Processing begins at a first step 1472 where SDDF_(—)3is deactivated. Following the step 1472 is a step 1474 where SDDF_(—)3is cleared. Following the step 1474 is a step 1476 where the token usedby the remote destination 1206 is cleared (set to zero). Following thestep 1476, processing is complete. Note that, in some embodiments, it ispossible to also terminate SDDF_(—)3 at or after the step 1472 so thatSDDF_(—)3 may be recreated at the step 1322 of the flow chart 1320 ofFIG. 29, discussed above.

Referring to FIG. 36, a diagram shows a possible configuration of thesource group 1202. In the diagram of FIG. 36, the source group 1202includes a host 1502 coupled to a single local storage device 1504. Thelocal storage device 1202 is coupled to both the local destination 1204and the remote destination 1206. In the configuration shown in FIG. 36,all of the processing described herein may be performed by the localstorage device 1504 or, alternatively, some of the processing may beperformed by the host 1502, as appropriate.

Referring to FIG. 37, a diagram shows another configuration of thesource group 1202 where a host 1512 is coupled to a plurality of localstorage devices 1514-1516. Each of the local storage devices 1514-1516is coupled to both the local destination 1204 and the remote destination1206. In the configuration shown in FIG. 37, the host 1512 may handlesome of the processing described herein such as, for example, cycleswitching for all of the local storage devices 1514-1516 in connectionwith ordered writes.

In some instances, it may be desirable to prevent cycle switching ifthere is difficulty with data transfers between the source group 1202and the local destination 1204. Of course, in instances of completefailure of the local destination 1204 or complete failure of linksbetween the source group 1202 and the local destination 1204, the systemmay stop working completely and recovery will proceed as describedabove. However, in other cases where there may be intermittent failure(e.g., transient connectivity loss for the links between the sourcegroup 1202 and the local destination 1204), it may be desirable tosimply not cycle switch on the source group 1202 in connection withcommunication between the source group 1202 and remote destination 1206,unless and until corresponding data is first successfully transferredfrom the source group 1202 to the local destination 1204. Thisenhancement is described below.

Referring FIG. 38, a flow chart 200′ illustrates a modified portion ofthe flow 200 of FIG. 6, which shows steps performed in connection withtransferring data from an inactive one of the lists 72, 74 (shown inFIG. 3) to another storage device. The flow chart 200′ shows the step204 and the step 212 which are also in the flow chart 200 and describedabove in connection with the text that explains FIG. 6. However, as setforth in more detail below, the flow chart 200′ contains additional newsteps that are not provided in the flow chart 200 of FIG. 6.

Following the step 204 is a test step 1602 which determines if the databeing transferred to another storage device is special data. As used inconnection with the flow chart 200′, special data at the step 1602refers to data being transmitted from the source group 1202 to both thelocal destination 1204 and to the remote destination 1206. In anembodiment herein, special data may be identified using built inmechanisms to determine if the data is queued for transfer to both thelocal destination 1204 and the remote destination 1206. Of course, othermechanisms for identifying and testing for special data may be used.

If it is determined at the test step 1602 that the data is not specialdata, then control transfers from the step 1602 to the step 212 to sendthe data as described above in connection with the flow chart 200 ofFIG. 6. Following the step 212, processing continues as shown in theflow chart 200 of FIG. 6 and described elsewhere herein. If it isdetermined that the test step 1602 that the data being sent is specialdata (is being transferred from the source group 1202 to both the localstorage device 1204 and the remote storage device 1206), then controltransfers from the test step 1602 to a test step 1604 where it isdetermined if the particular transfer being examined is a transfer ofthe special data from the source group 1202 to the remote destination1206. As discussed elsewhere herein, it is desirable to avoid sendingdata from the source group 1202 to the remote destination 1206 unlessand until the data has first been successfully transferred from thesource group 1202 to the local destination 1204. Thus, the test at thestep 1604 determines if the specific data transfer being examined is atransfer from the source group 1202 to the remote destination 1206. Ifnot, then control transfers from the test step 1604 to the step 212 tocontinue processing, as described elsewhere herein. Otherwise, if it isdetermined at the test step 1604 that the data being examinedcorresponds to a transfer from the source group 1202 to the remotedestination 1206, then control transfers from the test step 1604 to atest step 1606, which determines if the corresponding transfer of thedata from the source group 1202 to the local destination 1204 hadpreviously completed successfully. That is, for a given slot or portionof data being transferred to both the remote destination 1206 and thelocal destination 1204, the test at the step 1606 determines if thetransfer from the source group 1202 to the local destination 1204 wasperformed successfully. If not, control transfers from the test step1606 to a step 1607, where error processing/testing are performed.

In some cases, the inability to transfer data from the source group 1202to the local destination 1204 causes the system to begin accumulatingdata at the remote destination 1206 by, for example, causing a failuremessage to be sent to the remote destination (see the flow chart 1330 ofFIG. 30 and corresponding description) and by exiting from theprocessing illustrated by the flow chart 200′ of FIG. 38 so that data issent from the source group 1202 to the remote destination 1206irrespective of whether the data was ever successfully sent from thesource group 1202 to the local destination 1204. Other processing mayoccur such as, for example, setting invalid bits in a device table fordata that is not transferred from the source group 1202 to the localdestination 1204. Note that if the connection between the source group1202 and the local destination 1204 is reestablished, it is possible tosynchronize the remote destination 1204 and then resume steady stateoperation as described herein (e.g., the steps of the flow chart 200′).

The criteria for determining whether or not to perform theabove-described error processing may be set according to a number offunctional factors discernable by one of ordinary skill in the art. Inan embodiment herein, the criteria is set according to the likelihoodthat there is a failure of the link between the source group 1202 andthe local destination 1204 and/or a failure of the local destination1204. For example, the error processing at the step 1607 may determinethat a failure has occurred if a certain amount of time has passedwithout data being successfully transferred from the source group 1202to the local destination 1204. If the error processing at the step 1607determines that a failure has not occurred (and thus processing shouldcontinue), then control transfers from the step 1607 to a test step1608, which determines if there is more inactive data to be sent fromthe source group 1202 to the remote destination 1206. If so, thencontrol transfers from the test step 1608 to a step 1612 where a pointerthat iterates through the data (e.g., iterates through elements of theinactive one of the lists 74, 76) is adjusted to point to the nextinactive block of data to be sent. Following the step 1612, controltransfers back to the step 204, to continue processing as discussedelsewhere herein.

If it is determined at the test step 1608 that there is not moreinactive data to be sent, then control transfers from the test step 1608to a step 1614 where the process waits. Since it has already beendetermined that the data being sent corresponds to a transfer from thesource group 1202 to the remote destination 1206 (at the test step1604), and it has been established that the corresponding transfer fromthe source group 1202 to the local destination 1204 has not completedyet (according to the test at the step 1606), then if it is determinedat the test step 1608 that there is no more data to be sent, then it isappropriate to wait at the step 1614 so that either more inactive datawill be made available to send or until another process successfullytransfers corresponding data from the source group 1202 to the localdestination 1204, thus altering the result at the test step 1606 for thenext iteration. Following the step 1614, control transfers back to thestep 204 to continue processing as described elsewhere herein.

If it is determined at the test step 1606 that the correspondingtransfer to the local destination 1204 had previously completedsuccessfully, then control transfers from the test step 1606 to anothertest step 1616 to determine if the data being transferred has more thanone slot associated therewith in connection with the transfer (e.g., anactive slot and an inactive slot). As discussed elsewhere herein, undercertain conditions, it is possible for there to be more than one slotassociated with what would otherwise be a single slot. See, for example,the discussion above in connection with the flow chart 440 of FIG. 12and the steps 446, 472, 474, 476, 478. Thus, if it is determined at thetest step 1616 that there is not more than one slot, then controltransfers from the test step 1616 to the step 212, to continueprocessing as described elsewhere herein. Otherwise, if it is determinedat the test step 1616 that there is more than one corresponding slot,then control transfers from the test step 1616 to a test step 1618,which determines if the transfer of the other slots to the local storagedevice 1204 had been successful, like the test for the slot at the step1606. If it is determined at the test 1618 that all of the othercorresponding slots were transferred properly to the local storagedevice 1204, then control transfers from the test step 1618 to the step212 to continue processing as described elsewhere herein. Otherwise,control transfers from the test step 1618 to the step 1608, alsodescribed elsewhere herein.

In another embodiment of the system described herein, it is possible tonot use COVD's for the R2 device like those shown in the diagram 240 ofFIG. 7. That is, it is possible to implement the R2 receipt ofasynchronous data without using COVD's at the R2 device.

Referring to FIG. 39, a diagram 1640 shows a cache 1642 that is providedin the remote storage device 26 that receives data. The cache 1642includes a plurality of slots 1652-1654 in which asynchronous data thatis received from the local storage device 24 is placed. Also shown is afirst circularly linked list 1674 and a second circularly linked list1676 which contain pointers to the slots 1652-1654 of the cache 1642.Thus, for example, the circularly linked list 1674 includes a pluralityof pointers 1681-1685, each of which points to one of the slots1652-1654 in the cache 1642. Similarly, the circularly linked list 1676includes a plurality of pointers 1691-1695, each of which points to oneof the slots 1652-1654 of the cache 1642. A standard logical device 1698is also mapped to portions of the cache 1642.

In an embodiment herein, one of the lists 1674, 1676 corresponds to aninactive data chunk (e.g., like the chunk 56 shown in FIG. 2), while theother one of the lists 1674, 1676 corresponds to an active data chunk(e.g., like the chunk 58 of FIG. 2). Received data is accumulated usingan inactive one of the data chunks while the active one of the datachunks is used for storing data at the standard logical device 1698 asdescribed elsewhere herein in connection with the diagram 240 of FIG. 7and the corresponding text. Thus, as new data arrives, it is placed inthe cache 1642 and a new pointer is added to which one of the circularlylinked lists 1674, 1676 corresponds to the inactive data chunk when thedata is received.

In some instances, it may be useful to be able to determine whether aportion of the standard logical device 1698 (or any other logicaldevice) has a slot associated therewith in the cache 1642 correspondingto received data. Of course, it is always possible to traverse both ofthe lists 1674, 1676 to determine if there is a corresponding slot inthe cache 1642. However, it would be more useful if there were a way ofusing particular device, cylinder, and head values of a logical deviceto determine whether there is a corresponding one of the slots 1652-1654in the cache 1642 waiting to be destaged to the device.

Referring to FIG. 40, a diagram 1700 shows a hash table 1702 whichcontain a plurality of entries 1704-1706. In an embodiment herein, eachof the entries 1704-1706 either contains a null pointer or points to oneof the cache slots 1652-1654 that correspond to data that has beenreceived but not yet stored on the standard logical device 1698 (oranother standard logical device). The table 1702 is indexed using a hashfunction that performs a mathematical operation using the particularvalues of the device, cylinder, and head to generate an index into thetable 1702 to find the corresponding entry. Thus, when data is receivedby the R2 device, the hash function is applied to the device, cylinder,and head to find its index value into the table 1702 and then a pointeris written to the corresponding one of the entries 1704-1706 that pointsto the particular slot 1652-1654 in the cache 1642. Once the receiveddata is appropriately destaged to the standard logical device 1698 (oranother device), the corresponding one of the entries 1704-1706 is setto null. In this way, the hash table 1702 allows quickly determiningwhether a particular portion of a standard logical device corresponds toreceived data that has not yet been destaged. For the system describedherein, any appropriate hash function may be used to generate the indexinto the table 1702.

In some instances, it may possible for a particular device, cylinder,and head values to generate an index into the table 1702 that is thesame as an index generated by different values for the device, cylinder,and head. This is called a “collision”. In instances where collisionsoccur, a second entry into the table 1702 corresponding to the sameindex as provided and the second entry is linked to the first entry sothat a particular index would correspond to more than one entry. This isillustrated by an element 1708 that is linked to the element 1705 of thetable 1702. Thus, a first device, cylinder, and head are hashed togenerate and index to the entry 1705 while different device, cylinder,and head are input to the hash function to generate the same value forthe index. In an embodiment herein, the entry 1705 is used to point tothe data in the cache 1642 corresponding to the first device, cylinder,and head while the entry 1708 is used to point to data in the cache 1642corresponding to the second device, cylinder and head. Of course, asdata is destaged to an appropriate device, the corresponding one of theentries 1705, 1708 may be eliminated from the table 1700.

Note that any number of entries may correspond to a single index sothat, for example, if collisions occur that cause three separate sets ofvalues for device, cylinder, and head to generate the same index, thenthere would be three (or more) entries linked together at a particularindex into the table 1702. Note also that other appropriate techniquesmay be used to handle collisions, including providing additional tables(e.g., a second table, a third table, a fourth table, etc.).

Referring to FIG. 41, a diagram 1720 shows an alternative embodiment ofa hash table 1722 which contain a plurality of entries 1724-1726. Theembodiment of FIG. 41 is like the embodiment of FIG. 40, with a fewdifferences, as described herein. Each of the entries 1724-1726 eithercontains a null pointer or points to one of the cache slots 1728, 1732,1734, shown in the diagram 1720, that correspond to data that has beenreceived but not yet stored on the standard logical device 1698 (oranother standard logical device). The table 1722 is indexed using a hashfunction that performs a mathematical operation using the particularvalues of the device, cylinder, and head to generate an index into thetable 1722 to find the corresponding entry. Thus, when data is receivedby the R2 device, the hash function is applied to the device, cylinder,and head to find its index value into the table 1722 and then a pointeris written to the corresponding one of the entries 1724-1726 that pointsto the particular slot 1728, 1732, 1734. Once the received data isappropriately destaged to the standard logical device 1698 (or anotherdevice), the corresponding one of the entries 1724-1726 is adjustedappropriately. In this way, the hash table 1722 allows quicklydetermining whether a particular portion of a standard logical devicecorresponds to received data that has not yet been destaged. For thesystem described herein, any appropriate hash function may be used togenerate the index into the table 1722.

For the embodiment shown in FIG. 41, in instances where collisionsoccur, the first slot pointed to by a table entry points to the secondslot that caused the collision. Thus, for example, if the slot 1732 anda slot 1736 cause a collision at the table entry 1725, the table entry1725 points to the slot 1732 while the slot 1732 points to the slot1736. Thus, a collision does not cause any change in the table 1722 whenthe subsequent slot is added, since adding the subsequent slot simplyinvolves changing the pointer value for a previous slot. Of course, anynumber of slots may correspond to a single table entry.

Note that any number of entries may correspond to a single index sothat, for example, if collisions occur that cause three separate sets ofvalues for device, cylinder, and head to generate the same index, thenthere would be three (or more) entries linked together at a particularindex into the table 1702. Note also that other appropriate techniquesmay be used to handle collisions, including providing additional tables(e.g., a second table, a third table, a fourth table, etc.).

While the invention has been disclosed in connection with variousembodiments, modifications thereon will be readily apparent to thoseskilled in the art. Accordingly, the spirit and scope of the inventionis set forth in the following claims.

1. A method for storing recovery data, comprising: providing chunks ofdata to a remote destination, wherein each chunk of data represents datawritten before a first time and after a second time and wherein thesecond time for one of the particular chunks corresponds to a first timefor a subsequent one of the particular chunks; providing synchronousdata to a local destination; and providing an indicator to the localdestination in connection with creation of a new chunk of data forstorage at the remote destination.
 2. A method, according to claim 1,wherein the local destination maintains a plurality of maps, whereineach of the maps associates synchronous data being provided thereto witha specific chunk of data.
 3. A method, according to claim 2, wherein, inresponse to receiving an indicator in connection with creation of a newchunk of data, the local destination points to a new map.
 4. A method,according to claim 3, wherein there are two maps.
 5. A method, accordingto claim 3, wherein there are more than two maps.
 6. A method, accordingto claim 1, further comprising: in response to the local destinationfailing to acknowledge synchronous data provided thereto, the remotedestination maintaining a map of data written thereto.
 7. A method,according to claim 6, further comprising: in response to the localdestination failing to acknowledge synchronous data provided thereto,the remote destination maintaining a count of a number of times a newchunk of data is created.
 8. A method of recovering data stored on alocal destination and a remote destination, comprising: determiningwhich of the local destination and the remote has the most up-to-datedata; copying data from the remote destination to the local destinationif the remote destination has the most up-to-date data; and copying datafrom the local destination to the remote destination if the localdestination has the most up-to-date data.
 9. A method, according toclaim 8, wherein determining which of the local destination and theremote destination has the most up-to-date data includes examining atoken provided by the remote destination that indicates an amount of newdata that is stored on the remote destination that is not stored on thelocal destination.
 10. A method, according to claim 9, wherein the tokenindicates a number of new chunks of data provided to the remote storagedevice following failure of the local storage device to acknowledge dataprovided thereto, wherein each chunk of data represents data writtenbefore a first time and after a second time and wherein the second timefor one of the particular chunks corresponds to a first time for asubsequent one of the particular chunks.
 11. A method, according toclaim 8, wherein copying data from the remote destination to the localdestination includes copying data indicated by a map corresponding todata written to the remote destination that is not acknowledged as beingwritten to the local destination.
 12. A method, according to claim 8,wherein copying data from the local destination to the remotedestination includes copying data indicated by a plurality of mapscorresponding to data written to the local destination that is notacknowledged as being written to the remote destination.
 13. A method,according to claim 12, wherein the number of maps is two.
 14. A method,according to claim 12, wherein the number of maps is more than two. 15.Software that stores recovery data, comprising: executable code thatprovides chunks of data to a remote destination, wherein each chunk ofdata represents data written before a first time and after a second timeand wherein the second time for one of the particular chunks correspondsto a first time for a subsequent one of the particular chunks;executable code that provides synchronous data to a local destination;and executable code that provides an indicator to the local destinationin connection with creation of a new chunk of data for storage at theremote destination.
 16. Software, according to claim 15, wherein thelocal destination includes executable code that maintains a plurality ofmaps, wherein each of the maps associates synchronous data beingprovided thereto with a specific chunk of data.
 17. Software, accordingto claim 16, wherein, in response to receiving an indicator inconnection with creation of a new chunk of data, the local destinationpoints to a new map.
 18. Software, according to claim 17, wherein thereare two maps.
 19. Software, according to claim 17, wherein there aremore than two maps.
 20. Software, according to claim 15, furthercomprising: executable code at the remote destination that, in responseto the local destination failing to acknowledge synchronous dataprovided thereto, maintains a map of data provided thereto. 21.Software, according to claim 20, further comprising: executable code atthe remote destination that, in response to the local destinationfailing to acknowledge synchronous data provided thereto, maintains acount of a number of times a new chunk of data is created.
 22. Softwarethat recovers data stored on a local destination and a remotedestination, comprising: executable code that determines which of thelocal destination and the remote has the most up-to-date data;executable code that copies data from the remote destination to thelocal destination if the remote destination has the most up-to-datedata; and executable code that copies data from the local destination tothe remote destination if the local destination has the most up-to-datedata.
 23. Software, according to claim 22, wherein executable code thatdetermines which of the local destination and the remote destination hasthe most up-to-date data includes executable code that examines a tokenprovided by the remote destination that indicates an amount of new datathat is stored on the remote destination that is not stored on the localdestination.
 24. Software, according to claim 23, wherein the tokenindicates a number of new chunks of data provided to the remote storagedevice following failure of the local storage device to acknowledge dataprovided thereto, wherein each chunk of data represents data writtenbefore a first time and after a second time and wherein the second timefor one of the particular chunks corresponds to a first time for asubsequent one of the particular chunks.
 25. Software, according toclaim 23, wherein executable code that copies data from the remotedestination to the local destination includes executable code thatcopies data indicated by a map corresponding to data written to theremote destination that is not acknowledged as being written to thelocal destination.
 26. Software, according to claim 22, whereinexecutable code that copies data from the local destination to theremote destination includes executable code that copies data indicatedby a plurality of maps corresponding to data written to the localdestination that is not acknowledged as being written to the remotedestination.
 27. Software, according to claim 26, wherein the number ofmaps is two.
 28. Software, according to claim 26, wherein the number ofmaps is more than two.
 29. A system for storing recovery data,comprising: a source group; a remote destination coupled to the sourcegroup to receive therefrom chunks of data, wherein each chunk of datarepresents data written before a first time and after a second time andwherein the second time for one of the particular chunks corresponds toa first time for a subsequent one of the particular chunks; and a localdestination coupled to the source group to receive synchronous datatherefrom, wherein the source group provides an indicator to the localdestination in connection with creation of a new chunk of data forstorage at the remote destination.
 30. A system for recovering data,comprising: a source group that generates data; a local destination,coupled to the source group to receive synchronous data therefrom; aremote destination, coupled to the source group to receive asynchronousdata therefrom; means for determining which of the local destination andthe remote has the most up-to-date data; means for copying data from theremote destination to the local destination if the remote destinationhas the most up-to-date data; and means for copying data from the localdestination to the remote destination if the local destination has themost up-to-date data.